Bug 868866
Summary: | SELinux is preventing /usr/sbin/fping from 'create' accesses on the rawip_socket . | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ilkka Tengvall <ikke> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 17 | CC: | cra, dominick.grift, dwalsh, mgrepl | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:8d44b81f68c6f855e8c6c60b04e345879d8ee53d84c7f1c63748942e2daf87f2 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-12-20 15:28:23 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Ilkka Tengvall
2012-10-22 10:26:27 UTC
Created attachment 631387 [details]
File: type
Created attachment 631388 [details]
File: hashmarkername
and after allowing that, it continues to nag: SELinux is preventing /usr/sbin/fping from using the net_raw capability. Plugin: catchall you want to allow fping to have net_raw access on the capabilityIf you believe that fping should have the net_raw capability by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep fping /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp the cgi script needs to be able to run ping in the ping_t domain Temporary fix: mkdir mysmokep; cd mysmokep; echo "policy_module(mysmokep, 1.0.0) gen_require(\` type httpd_smokeping_cgi_script_t; ') netutils_domtrans_ping(httpd_smokeping_cgi_script_t)" > mysmokep.te make -f /usr/share/selinux/devel/Makefile mysmokep.pp semodule -i mysmokep.pp added. commit 49bd3ad0a443459e3acd6ed451f49c724bd66eb0 Author: Miroslav Grepl <mgrepl> Date: Mon Oct 22 15:44:00 2012 +0200 Allow smokeping to execute fping in the neutils domain Just for the record, I had still this one to add after updgrading to selinux-policy-3.10.0-156.fc17.noarch. I hadn't applied your temporary fix, maybe it would've done the same effect. module mypol.pp 1.0; require { type bin_t; type httpd_smokeping_cgi_script_t; type smokeping_t; type httpd_t; class capability net_raw; class unix_stream_socket { shutdown ioctl getattr accept }; class file { read execute open execute_no_trans }; class rawip_socket create; } #============= httpd_smokeping_cgi_script_t ============== allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown }; #!!!! This avc is allowed in the current policy allow httpd_smokeping_cgi_script_t self:capability net_raw; #!!!! This avc is allowed in the current policy allow httpd_smokeping_cgi_script_t self:rawip_socket create; #============= smokeping_t ============== #!!!! This avc is allowed in the current policy Just for the record, there is another bug open about this #868893. SELinux doesn't produce any logs into audit.log any longer, but smokeping fcgi page works only if selinux is permissive. weird. Could you test it with http://koji.fedoraproject.org/koji/buildinfo?buildID=361848 thanks, doesn't give errors anymore. But it didn't anymore even without it, I had applied manually the above rules. I can remove my additions if you tell me how :) The weird thing is that the selinux makes smokeping web page fail, even though it doesn't log anything anymore into audit.log. If I set it to permissive, smokeping fcgi works fine. I forgot to mention clearly: So I tried your package from Koji, that is. Please remove your local policy # semodule -r mypol thanks, I removed the policies using the file from my policy in comment #6. SELinux won't nag any longer, but somehow it still prevents smokeping from working. setenforce 0 fixes smokeping fcgi. and are you getting AVC msgs? # setenforce 1 # setneforce 0 re-test and execute # ausearch -m avc,user_avc selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17 Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |