On 10/26/2014 12:10 AM, admin wrote:
> I've just recreated the module and enabled it, yet I can't seem to
> allow fping to be used by the httpd process. It seems that the last
> error was just a byproduct of a bad module I had not properly removed.
> Are there any additional troubleshooting steps I could try?
>
> What I've done so far :
>
> 1) grep fping /var/log/audit/audit.log | audit2allow -M observium_fping
> 2) semodule -i observium_fping.pp
>
> 3) semodule -l | grep fping
> **
> fping 1.0
> observium_fping 1.0
> **
>
> 4) cat /var/log/audit/audit.log | grep fping
>
> type=AVC msg=audit(1414295291.964:357): avc: denied { create } for
> pid=5283 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket
> type=SYSCALL msg=audit(1414295291.964:357): arch=c000003e syscall=41
> success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff871b1790 items=0 ppid=5282
> pid=5283 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
> fsgid=48 tty=(none) ses=1 comm="fping" exe="/usr/sbin/fping"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
>
> On 10/25/2014 8:30 PM, Greg Lindahl wrote:
>> On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:
>>
>>> #!!!! This avc is allowed in the current policy
>>> allow httpd_t self:capability net_raw;
>>> allow httpd_t self:rawip_socket create;
>> This confusing output means that the first "allow" line is in the
>> current policy, and the second is not.
>>
>> -- greg
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
You want to add this rule.
#cat observium_fping.te
policy_module(observium_fping, 1.0)
gen_require(`
type httpd_t;
')
allow httpd_t self:rawip_socket create_socket_perms;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i observium_fping.pp