Bug 868866
| Summary: | SELinux is preventing /usr/sbin/fping from 'create' accesses on the rawip_socket . | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ilkka Tengvall <ikke> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | cra, dominick.grift, dwalsh, mgrepl | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:8d44b81f68c6f855e8c6c60b04e345879d8ee53d84c7f1c63748942e2daf87f2 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-12-20 15:28:23 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Ilkka Tengvall
2012-10-22 10:26:27 UTC
Created attachment 631387 [details]
File: type
Created attachment 631388 [details]
File: hashmarkername
and after allowing that, it continues to nag: SELinux is preventing /usr/sbin/fping from using the net_raw capability. Plugin: catchall you want to allow fping to have net_raw access on the capabilityIf you believe that fping should have the net_raw capability by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep fping /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp the cgi script needs to be able to run ping in the ping_t domain Temporary fix: mkdir mysmokep; cd mysmokep; echo "policy_module(mysmokep, 1.0.0) gen_require(\` type httpd_smokeping_cgi_script_t; ') netutils_domtrans_ping(httpd_smokeping_cgi_script_t)" > mysmokep.te make -f /usr/share/selinux/devel/Makefile mysmokep.pp semodule -i mysmokep.pp added.
commit 49bd3ad0a443459e3acd6ed451f49c724bd66eb0
Author: Miroslav Grepl <mgrepl>
Date: Mon Oct 22 15:44:00 2012 +0200
Allow smokeping to execute fping in the neutils domain
Just for the record, I had still this one to add after updgrading to selinux-policy-3.10.0-156.fc17.noarch. I hadn't applied your temporary fix, maybe it would've done the same effect.
module mypol.pp 1.0;
require {
type bin_t;
type httpd_smokeping_cgi_script_t;
type smokeping_t;
type httpd_t;
class capability net_raw;
class unix_stream_socket { shutdown ioctl getattr accept };
class file { read execute open execute_no_trans };
class rawip_socket create;
}
#============= httpd_smokeping_cgi_script_t ==============
allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown };
#!!!! This avc is allowed in the current policy
allow httpd_smokeping_cgi_script_t self:capability net_raw;
#!!!! This avc is allowed in the current policy
allow httpd_smokeping_cgi_script_t self:rawip_socket create;
#============= smokeping_t ==============
#!!!! This avc is allowed in the current policy
Just for the record, there is another bug open about this #868893. SELinux doesn't produce any logs into audit.log any longer, but smokeping fcgi page works only if selinux is permissive. weird. Could you test it with http://koji.fedoraproject.org/koji/buildinfo?buildID=361848 thanks, doesn't give errors anymore. But it didn't anymore even without it, I had applied manually the above rules. I can remove my additions if you tell me how :) The weird thing is that the selinux makes smokeping web page fail, even though it doesn't log anything anymore into audit.log. If I set it to permissive, smokeping fcgi works fine. I forgot to mention clearly: So I tried your package from Koji, that is. Please remove your local policy # semodule -r mypol thanks, I removed the policies using the file from my policy in comment #6. SELinux won't nag any longer, but somehow it still prevents smokeping from working. setenforce 0 fixes smokeping fcgi. and are you getting AVC msgs? # setenforce 1 # setneforce 0 re-test and execute # ausearch -m avc,user_avc selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17 Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |