SELinux Blocking Ping

Miroslav Grepl mgrepl at redhat.com
Mon Feb 25 10:17:25 UTC 2013 

On 02/25/2013 11:16 AM, Miroslav Grepl wrote:
> On 02/22/2013 04:31 PM, Erik Boyer wrote:
>>
>> Oh I also forgot to mention that I did receive an SELinux denial alert
>>
>> And I did execute the commands listed in solution column but it too 
>> did not have any effect.
>>
>> Thank you,
>>
>> *Erik Boyer
>> *Production / IT System Support
>>
>> *KUKA Toledo Production Operations, LLC
>>
>> *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
>> erik.boyer at ktpo.com <mailto:erik.boyer at ktpo.com>_
>> _www.ktpo.com <http://www.ktpo.com/>/
>>
>> Consider the environment. If you print this email, please recycle.
>>
>> /This e-mail may contain confidential and/or privileged information. 
>> If you are not the intended recipient (or have received this e-mail 
>> in error) please notify the sender immediately and destroy this 
>> e-mail. Any unauthorized copying, disclosure or distribution of 
>> contents of this e-mail is strictly forbidden.
>>
>> *From:*Erik Boyer
>> *Sent:* Friday, February 22, 2013 10:09 AM
>> *To:* Selinux List
>> *Cc:* Erik Boyer
>> *Subject:* SELinux Blocking Ping
>>
>> Good Morning,
>>
>> I have a website written in PHP installed on a 64 bit Fedora 16 
>> server that I am trying to have ping a host to monitor it’s availability.
>>
>> Because using sockets requires root access I wrote a simple shell 
>> script to handle the ping, returning simply “up” or “down” back to PHP.
>>
>> The problem is that SELinux seems to be stopping Ping from working 
>> correctly. The PHP page takes a long time to load (around 30 seconds 
>> or so) and even if the host is up, the shell script still reports it 
>> as down because of the exit status of ping. In the error log for PHP 
>> there are thousands of lines of:
>>
>> */ping: sendmsg: Permission denied/*
>>
>> To the point where if you ping just one host once it grows to over 
>> 200 MB. I have tried Google extensively and it seems others have this 
>> problem but there is no real answer. I have tried setting the setuid 
>> and setgid for the ping executable with chmod g+s and u+s, even 
>> giving the apache user ownership permission but to no avail. The only 
>> thing that has worked thus far is to turn off SELinux and then the 
>> scripts work fine without issue. I should also note that I can run 
>> the shell script on the shell without a problem, and the PHP exec() 
>> function can run something like “whoami” without issue.
>>
>> I have looked at the available binary switches for SELinux but none 
>> of them seem to do what I need. I really don’t want to have to turn 
>> off SELinux for this server, as it is a webserver and I want as much 
>> protection on it as possible.
>>
>> Does anyone have any suggestions? Any help is appreciated.
>>
>>
>> Here is the contents of the shell script:
>>
>> *//bin/ping -c 1 -W 0.2 $1/*
>>
>> */rc=$?/*
>>
>> */if [[ $rc -eq 0 ]] ; then/*
>>
>> */        echo "up"/*
>>
>> */else/*
>>
>> */        echo "down"/*
>>
>> */fi/*
>>
>> Here is how I am calling this through PHP ($i is predetermined 
>> earlier in the script):
>>
>> */$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);/*
>>
>> */if ($ping == "up")/*
>>
>> */{/*
>>
>> */echo "Response time: ";/*
>>
>> */                echo exec("/usr/bin/perl 
>> /var/lib/cacti/scripts/ping.pl 10.0.1.".$i);/*
>>
>> */                echo " ms.";/*
>>
>> */}/*
>>
>> The perl script is taken from Cacti (installed separately via yum) 
>> but does not run from my scripts with SELinux enabled. Again disabled 
>> it returns values as expected, and run directly from a shell it works 
>> without issue.
>>
>> Could anyone shed some light on this for me?
>>
>> Thank you,
>>
>> *Erik Boyer
>> *Production / IT System Support
>>
>> *KUKA Toledo Production Operations, LLC
>>
>> *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
>> erik.boyer at ktpo.com <mailto:erik.boyer at ktpo.com>_
>> _www.ktpo.com <http://www.ktpo.com/>/
>>
>> Consider the environment. If you print this email, please recycle.
>>
>> /This e-mail may contain confidential and/or privileged information. 
>> If you are not the intended recipient (or have received this e-mail 
>> in error) please notify the sender immediately and destroy this 
>> e-mail. Any unauthorized copying, disclosure or distribution of 
>> contents of this e-mail is strictly forbidden.
>>
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> Exactly this example Dan Walsh mentioned on DevConf in Brno which we had.
>
> The point is this is pretty powerful access which we don't want to add 
> for httpd_t by default. You can always use audit2allow and add a local 
> policy for your case.
>
> 1. semange permissive -a httpd_t
> 2. Re-test it
> 3. ausearch -m avc -ts recent | audit2allow -R -M myapache
> 4. semodule -i myapache.pp
> 5. semange permissive -d httpd_t
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
But yes, the following solution is much better.

policy_module(localhttpping, 1.0.4)

require {
        type httpd_sys_script_t;
        type httpd_t;
}
netutils_domtrans_ping(httpd_sys_script_t)
netutils_domtrans_ping(httpd_t)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130225/e99a4d38/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 34514 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130225/e99a4d38/attachment-0001.jpe>

More information about the selinux mailing list