SELinux Blocking Ping

Miroslav Grepl mgrepl at redhat.com
Mon Feb 25 10:16:14 UTC 2013 

On 02/22/2013 04:31 PM, Erik Boyer wrote:
>
> Oh I also forgot to mention that I did receive an SELinux denial alert
>
> And I did execute the commands listed in solution column but it too 
> did not have any effect.
>
> Thank you,
>
> *Erik Boyer
> *Production / IT System Support
>
> *KUKA Toledo Production Operations, LLC
>
> *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
> erik.boyer at ktpo.com <mailto:erik.boyer at ktpo.com>_
> _www.ktpo.com <http://www.ktpo.com/>/
>
> Consider the environment. If you print this email, please recycle.
>
> /This e-mail may contain confidential and/or privileged information. 
> If you are not the intended recipient (or have received this e-mail in 
> error) please notify the sender immediately and destroy this e-mail. 
> Any unauthorized copying, disclosure or distribution of contents of 
> this e-mail is strictly forbidden.
>
> *From:*Erik Boyer
> *Sent:* Friday, February 22, 2013 10:09 AM
> *To:* Selinux List
> *Cc:* Erik Boyer
> *Subject:* SELinux Blocking Ping
>
> Good Morning,
>
> I have a website written in PHP installed on a 64 bit Fedora 16 server 
> that I am trying to have ping a host to monitor it’s availability.
>
> Because using sockets requires root access I wrote a simple shell 
> script to handle the ping, returning simply “up” or “down” back to PHP.
>
> The problem is that SELinux seems to be stopping Ping from working 
> correctly. The PHP page takes a long time to load (around 30 seconds 
> or so) and even if the host is up, the shell script still reports it 
> as down because of the exit status of ping. In the error log for PHP 
> there are thousands of lines of:
>
> */ping: sendmsg: Permission denied/*
>
> To the point where if you ping just one host once it grows to over 200 
> MB. I have tried Google extensively and it seems others have this 
> problem but there is no real answer. I have tried setting the setuid 
> and setgid for the ping executable with chmod g+s and u+s, even giving 
> the apache user ownership permission but to no avail. The only thing 
> that has worked thus far is to turn off SELinux and then the scripts 
> work fine without issue. I should also note that I can run the shell 
> script on the shell without a problem, and the PHP exec() function can 
> run something like “whoami” without issue.
>
> I have looked at the available binary switches for SELinux but none of 
> them seem to do what I need. I really don’t want to have to turn off 
> SELinux for this server, as it is a webserver and I want as much 
> protection on it as possible.
>
> Does anyone have any suggestions? Any help is appreciated.
>
>
> Here is the contents of the shell script:
>
> *//bin/ping -c 1 -W 0.2 $1/*
>
> */rc=$?/*
>
> */if [[ $rc -eq 0 ]] ; then/*
>
> */        echo "up"/*
>
> */else/*
>
> */        echo "down"/*
>
> */fi/*
>
> Here is how I am calling this through PHP ($i is predetermined earlier 
> in the script):
>
> */$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);/*
>
> */if ($ping == "up")/*
>
> */{/*
>
> */echo "Response time: ";/*
>
> */                echo exec("/usr/bin/perl 
> /var/lib/cacti/scripts/ping.pl 10.0.1.".$i);/*
>
> */                echo " ms.";/*
>
> */}/*
>
> The perl script is taken from Cacti (installed separately via yum) but 
> does not run from my scripts with SELinux enabled. Again disabled it 
> returns values as expected, and run directly from a shell it works 
> without issue.
>
> Could anyone shed some light on this for me?
>
> Thank you,
>
> *Erik Boyer
> *Production / IT System Support
>
> *KUKA Toledo Production Operations, LLC
>
> *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
> erik.boyer at ktpo.com <mailto:erik.boyer at ktpo.com>_
> _www.ktpo.com <http://www.ktpo.com/>/
>
> Consider the environment. If you print this email, please recycle.
>
> /This e-mail may contain confidential and/or privileged information. 
> If you are not the intended recipient (or have received this e-mail in 
> error) please notify the sender immediately and destroy this e-mail. 
> Any unauthorized copying, disclosure or distribution of contents of 
> this e-mail is strictly forbidden.
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Exactly this example Dan Walsh mentioned on DevConf in Brno which we had.

The point is this is pretty powerful access which we don't want to add 
for httpd_t by default. You can always use audit2allow and add a local 
policy for your case.

1. semange permissive -a httpd_t
2. Re-test it
3. ausearch -m avc -ts recent | audit2allow -R -M myapache
4. semodule -i myapache.pp
5. semange permissive -d httpd_t


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130225/ef61c594/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 34514 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130225/ef61c594/attachment-0001.jpe>

More information about the selinux mailing list