Hi gents,
I seem to have a small issue with fping and Observium(a monitoring solution). The particular VPS I'm using does have SELinux enabled and it seems to be causing issues when the httpd process is attempting to use Fping?
Here is what I know so far :
Output from "audit2why -a" :
--------------- type=AVC msg=audit(1414265994.125:6744): avc: denied { create } for pid=8968 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0 Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
---------------
Which does seem to confirm that something is wrong between httpd and fping.
I then ran "audit2allow -M fping-httpd < audit2allow" which did create both the .te and .pp files. The issue is that inside the .te file, I have a warning saying that the rules already exists! Which does make sense since I had to allow those particular function for the Mysql connection to function properly.
--------------- .te file :
"module fping-httpd 1.0;
require { type httpd_t; class capability net_raw; class rawip_socket create; }
#============= httpd_t ==============
#!!!! This avc is allowed in the current policy allow httpd_t self:capability net_raw; allow httpd_t self:rawip_socket create; " ---------------
Is the "Missing type enforcement" related to all of this? I really don't want to disable SELinux and would rather learn to actually use it properly.
Thank you!
On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:
#!!!! This avc is allowed in the current policy allow httpd_t self:capability net_raw; allow httpd_t self:rawip_socket create;
This confusing output means that the first "allow" line is in the current policy, and the second is not.
-- greg
I've just recreated the module and enabled it, yet I can't seem to allow fping to be used by the httpd process. It seems that the last error was just a byproduct of a bad module I had not properly removed. Are there any additional troubleshooting steps I could try?
What I've done so far :
1) grep fping /var/log/audit/audit.log | audit2allow -M observium_fping 2) semodule -i observium_fping.pp
3) semodule -l | grep fping ** fping 1.0 observium_fping 1.0 **
4) cat /var/log/audit/audit.log | grep fping
type=AVC msg=audit(1414295291.964:357): avc: denied { create } for pid=5283 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1414295291.964:357): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff871b1790 items=0 ppid=5282 pid=5283 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="fping" exe="/usr/sbin/fping" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
On 10/25/2014 8:30 PM, Greg Lindahl wrote:
On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:
#!!!! This avc is allowed in the current policy allow httpd_t self:capability net_raw; allow httpd_t self:rawip_socket create;
This confusing output means that the first "allow" line is in the current policy, and the second is not.
-- greg
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 10/26/2014 12:10 AM, admin wrote:
I've just recreated the module and enabled it, yet I can't seem to allow fping to be used by the httpd process. It seems that the last error was just a byproduct of a bad module I had not properly removed. Are there any additional troubleshooting steps I could try?
What I've done so far :
grep fping /var/log/audit/audit.log | audit2allow -M observium_fping
semodule -i observium_fping.pp
semodule -l | grep fping
** fping 1.0 observium_fping 1.0 **
- cat /var/log/audit/audit.log | grep fping
type=AVC msg=audit(1414295291.964:357): avc: denied { create } for pid=5283 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1414295291.964:357): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff871b1790 items=0 ppid=5282 pid=5283 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="fping" exe="/usr/sbin/fping" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
On 10/25/2014 8:30 PM, Greg Lindahl wrote:
On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:
#!!!! This avc is allowed in the current policy allow httpd_t self:capability net_raw; allow httpd_t self:rawip_socket create;
This confusing output means that the first "allow" line is in the current policy, and the second is not.
-- greg
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You want to add this rule.
#cat observium_fping.te policy_module(observium_fping, 1.0) gen_require(` type httpd_t; ') allow httpd_t self:rawip_socket create_socket_perms;
# make -f /usr/share/selinux/devel/Makefile # semodule -i observium_fping.pp
-
admin -
Daniel J Walsh -
Greg Lindahl