On 10/26/2014 12:10 AM, admin wrote:
I've just recreated the module and enabled it, yet I can't seem to allow fping to be used by the httpd process. It seems that the last error was just a byproduct of a bad module I had not properly removed. Are there any additional troubleshooting steps I could try?
What I've done so far :
grep fping /var/log/audit/audit.log | audit2allow -M observium_fping
semodule -i observium_fping.pp
semodule -l | grep fping
** fping 1.0 observium_fping 1.0 **
- cat /var/log/audit/audit.log | grep fping
type=AVC msg=audit(1414295291.964:357): avc: denied { create } for pid=5283 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1414295291.964:357): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff871b1790 items=0 ppid=5282 pid=5283 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="fping" exe="/usr/sbin/fping" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
On 10/25/2014 8:30 PM, Greg Lindahl wrote:
On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:
#!!!! This avc is allowed in the current policy allow httpd_t self:capability net_raw; allow httpd_t self:rawip_socket create;
This confusing output means that the first "allow" line is in the current policy, and the second is not.
-- greg
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You want to add this rule.
#cat observium_fping.te policy_module(observium_fping, 1.0) gen_require(` type httpd_t; ') allow httpd_t self:rawip_socket create_socket_perms;
# make -f /usr/share/selinux/devel/Makefile # semodule -i observium_fping.pp