icmp Operation not permitted message on ping
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 13 14:27:15 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/10/2012 10:13 AM, don fisher wrote:
> On 02/10/12 13:07, Rick Stevens wrote:
>> On 02/10/2012 11:19 AM, Kevin Martin wrote:
>>>
>>>
>>> On 02/10/2012 08:10 AM, don fisher wrote:
>>>> On 02/10/12 11:15, Rick Stevens wrote:
>>>>> On 02/10/2012 05:08 AM, don fisher wrote:
>>>>>> On 02/10/12 08:17, Kevin Martin wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 02/09/2012 03:20 PM, don fisher wrote:
>>>>>>>> Sorry to be back again. My mail and browser work, and
>>>>>>>> I can ping as root. When I try to ping as a user I
>>>>>>>> get:
>>>>>>>>
>>>>>>>> ping: icmp open socket: Operation not permitted
>>>>>>>>
>>>>>>>> There is probably a group that I need to add to my
>>>>>>>> profile, but it was not obvious to me. Suggestions
>>>>>>>> welcome. Is there a way to add groups to my account
>>>>>>>> without using system-config-users?
>>>>>>>>
>>>>>>>> Where are these things documented?
>>>>>>>>
>>>>>>>> Thanks, Don
>>>>>>>
>>>>>>> Don, what are the permissions on /bin/ping (ls -al
>>>>>>> /bin/ping)? Mine are set to 755 (-rwxr-xr-x) and ping
>>>>>>> works for me as non-root.
>>>>>>>
>>>>>>> Kevin
>>>>>> Yesterday I built a new system on another disk that
>>>>>> allows ping to work as expected. My system crashed once,o
>>>>>> a few thing must have been "disturbed". I was trying to
>>>>>> figure out how t repair it.
>>>>>
>>>>> Smells like an selinux thing. Check your logs to see if
>>>>> you're getting AVC denials. If so, you may need to
>>>>> relabel.
>>>> Rick, Where are the seliunx messages logged? I looked in
>>>> /var/log/secure and the only thing I saw was a notice of when
>>>> I used sudo to test ping. What would I need to relabel? I am
>>>> a dunce on security issues.
>>
>> They'd be in /var/log/messages if that's what's happening. You
>> can "touch /.autorelabel" to force a full autorelabel on reboot.
>> That can take some time.
>> ----------------------------------------------------------------------
>>
>>
- - Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
>> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - We are
>> born naked, wet and hungry. Then things get worse. -
>> ----------------------------------------------------------------------
>
>>
Thanks. I tried that as you had mentioned it yesterday. I tried a new
> version 3.2.3-2 of the kernel, but it will not handle my radeon
> chip set. Still at 3.1.9-1. All I touch appears broken:-(
>
> Don
I doubt this is SELinux related. If ping works as root and does not
as non root, I would suspect this has to do with capabilities.
getcap /bin/ping
/bin/ping = cap_net_raw+ep
ls -l /bin/ping
- -rwxr-xr-x. 1 root root 40840 Nov 10 04:32 /bin/ping
Ping needs the cap_net_raw capability to work, meaning it is allowed
to send raw packets on the network. Either it needs to be setuid or
use file capabilities.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk85HcMACgkQrlYvE4MpobNH8ACfcQeF86fy1sRYRn7HK7TNc1DY
wRUAoJz2jb0OQC/AU1zjpC70hnlzUpqb
=43Tx
-----END PGP SIGNATURE-----
More information about the users
mailing list