Bug 120451 - user cannot run ping/traceroute/...
user cannot run ping/traceroute/...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-08 16:55 EDT by Tom London
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-12 11:31:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2004-04-08 16:55:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312

Description of problem:
with "setenforce 1", ping localhost (also traceroute localhost) fails with
     ping: icmp open socket: Permission denied

Here are the messages from /var/log/messages:
    Apr  8 13:57:26 fedora kernel: audit(1081457846.875:0): avc: 
denied  { create } for  pid=2224 exe=/bin/ping
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=rawip_socket
    Apr  8 13:57:26 fedora kernel: audit(1081457846.875:0): avc: 
denied  { setuid } for  pid=2224 exe=/bin/ping capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability

Both work with "setenforce 0"


Version-Release number of selected component (if applicable):
policy-1.10.1-4

How reproducible:
Always

Steps to Reproduce:
1. enter "ping localhost" as non-root.
2.
3.
    

Actual Results:  
     ping: icmp open socket: Permission denied

Additional info:
Comment 1 Daniel Walsh 2004-04-12 11:31:36 EDT
There is a new feature in SELinux that allows you to modify a running
policy.  Basically you can define booleans in policy that an admin can
then decide to turn on or off.  To allow users to ping you can execute
the following command.

> ping 4.2.2.2
ping: icmp open socket: Permission denied
> show_bools
user_ping --> active: 0 pending: 0

As root
# change_bool user_ping 1

> show_bools
user_ping --> active: 1 pending: 1

>ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
64 bytes from 4.2.2.2: icmp_seq=0 ttl=248 time=10.0 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=248 time=10.6 ms

To show the available booleans you can use show_bools.
show_bools
user_ping --> active: 0 pending: 0

Note You need to log in before you can comment on or make changes to this bug.