On 02/22/2013 04:31 PM, Erik Boyer wrote:
>
> Oh I also forgot to mention that I did receive an SELinux denial alert
>
> And I did execute the commands listed in solution column but it too
> did not have any effect.
>
> Thank you,
>
> *Erik Boyer
> *Production / IT System Support
>
> *KUKA Toledo Production Operations, LLC
>
> *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
> erik.boyer(a)ktpo.com <mailto:erik.boyer@ktpo.com>_
>
_www.ktpo.com <
http://www.ktpo.com/>/
>
> Consider the environment. If you print this email, please recycle.
>
> /This e-mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this e-mail
> in error) please notify the sender immediately and destroy this
> e-mail. Any unauthorized copying, disclosure or distribution of
> contents of this e-mail is strictly forbidden.
>
> *From:*Erik Boyer
> *Sent:* Friday, February 22, 2013 10:09 AM
> *To:* Selinux List
> *Cc:* Erik Boyer
> *Subject:* SELinux Blocking Ping
>
> Good Morning,
>
> I have a website written in PHP installed on a 64 bit Fedora 16
> server that I am trying to have ping a host to monitor it’s availability.
>
> Because using sockets requires root access I wrote a simple shell
> script to handle the ping, returning simply “up” or “down” back to PHP.
>
> The problem is that SELinux seems to be stopping Ping from working
> correctly. The PHP page takes a long time to load (around 30 seconds
> or so) and even if the host is up, the shell script still reports it
> as down because of the exit status of ping. In the error log for PHP
> there are thousands of lines of:
>
> */ping: sendmsg: Permission denied/*
>
> To the point where if you ping just one host once it grows to over
> 200 MB. I have tried Google extensively and it seems others have this
> problem but there is no real answer. I have tried setting the setuid
> and setgid for the ping executable with chmod g+s and u+s, even
> giving the apache user ownership permission but to no avail. The only
> thing that has worked thus far is to turn off SELinux and then the
> scripts work fine without issue. I should also note that I can run
> the shell script on the shell without a problem, and the PHP exec()
> function can run something like “whoami” without issue.
>
> I have looked at the available binary switches for SELinux but none
> of them seem to do what I need. I really don’t want to have to turn
> off SELinux for this server, as it is a webserver and I want as much
> protection on it as possible.
>
> Does anyone have any suggestions? Any help is appreciated.
>
>
> Here is the contents of the shell script:
>
> *//bin/ping -c 1 -W 0.2 $1/*
>
> */rc=$?/*
>
> */if [[ $rc -eq 0 ]] ; then/*
>
> */ echo "up"/*
>
> */else/*
>
> */ echo "down"/*
>
> */fi/*
>
> Here is how I am calling this through PHP ($i is predetermined
> earlier in the script):
>
> */$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);/*
>
> */if ($ping == "up")/*
>
> */{/*
>
> */echo "Response time: ";/*
>
> */ echo exec("/usr/bin/perl
> /var/lib/cacti/scripts/ping.pl 10.0.1.".$i);/*
>
> */ echo " ms.";/*
>
> */}/*
>
> The perl script is taken from Cacti (installed separately via yum)
> but does not run from my scripts with SELinux enabled. Again disabled
> it returns values as expected, and run directly from a shell it works
> without issue.
>
> Could anyone shed some light on this for me?
>
> Thank you,
>
> *Erik Boyer
> *Production / IT System Support
>
> *KUKA Toledo Production Operations, LLC
>
> *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
> erik.boyer(a)ktpo.com <mailto:erik.boyer@ktpo.com>_
>
_www.ktpo.com <
http://www.ktpo.com/>/
>
> Consider the environment. If you print this email, please recycle.
>
> /This e-mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this e-mail
> in error) please notify the sender immediately and destroy this
> e-mail. Any unauthorized copying, disclosure or distribution of
> contents of this e-mail is strictly forbidden.
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
Exactly this example Dan Walsh mentioned on DevConf in Brno which we had.
The point is this is pretty powerful access which we don't want to add
for httpd_t by default. You can always use audit2allow and add a local
policy for your case.
1. semange permissive -a httpd_t
2. Re-test it
3. ausearch -m avc -ts recent | audit2allow -R -M myapache
4. semodule -i myapache.pp
5. semange permissive -d httpd_t
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux But yes, the following
solution is much better.
policy_module(localhttpping, 1.0.4)
require {
type httpd_sys_script_t;
type httpd_t;
}
netutils_domtrans_ping(httpd_sys_script_t)
netutils_domtrans_ping(httpd_t)