Description of problem: I installed smokeping, and started httpd, and entered webpage http://localhost/smokeping/sm.cgi Additional info: libreport version: 2.0.14 kernel: 3.6.1-1.fc17.x86_64 description: :SELinux is preventing /usr/sbin/fping from 'create' accesses on the rawip_socket . : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that fping should be allowed create access on the rawip_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep fping /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:httpd_smokeping_cgi_script_t:s0 :Target Context system_u:system_r:httpd_smokeping_cgi_script_t:s0 :Target Objects [ rawip_socket ] :Source fping :Source Path /usr/sbin/fping :Port <Unknown> :Host (removed) :Source RPM Packages fping-3.0-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-153.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.1-1.fc17.x86_64 #1 SMP Wed Oct : 10 12:13:05 UTC 2012 x86_64 x86_64 :Alert Count 3 :First Seen 2012-10-22 13:20:56 EEST :Last Seen 2012-10-22 13:20:56 EEST :Local ID cef8cb11-e4b8-419d-8d52-b67ec17d831a : :Raw Audit Messages :type=AVC msg=audit(1350901256.421:6049): avc: denied { create } for pid=9349 comm="fping" scontext=system_u:system_r:httpd_smokeping_cgi_script_t:s0 tcontext=system_u:system_r:httpd_smokeping_cgi_script_t:s0 tclass=rawip_socket : : :type=SYSCALL msg=audit(1350901256.421:6049): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=3 a2=1 a3=7fffae008880 items=0 ppid=9291 pid=9349 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=fping exe=/usr/sbin/fping subj=system_u:system_r:httpd_smokeping_cgi_script_t:s0 key=(null) : :Hash: fping,httpd_smokeping_cgi_script_t,httpd_smokeping_cgi_script_t,rawip_socket,create : :audit2allow : :#============= httpd_smokeping_cgi_script_t ============== :allow httpd_smokeping_cgi_script_t self:rawip_socket create; : :audit2allow -R : :#============= httpd_smokeping_cgi_script_t ============== :allow httpd_smokeping_cgi_script_t self:rawip_socket create; :
Created attachment 631387 [details] File: type
Created attachment 631388 [details] File: hashmarkername
and after allowing that, it continues to nag: SELinux is preventing /usr/sbin/fping from using the net_raw capability. Plugin: catchall you want to allow fping to have net_raw access on the capabilityIf you believe that fping should have the net_raw capability by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep fping /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
the cgi script needs to be able to run ping in the ping_t domain Temporary fix: mkdir mysmokep; cd mysmokep; echo "policy_module(mysmokep, 1.0.0) gen_require(\` type httpd_smokeping_cgi_script_t; ') netutils_domtrans_ping(httpd_smokeping_cgi_script_t)" > mysmokep.te make -f /usr/share/selinux/devel/Makefile mysmokep.pp semodule -i mysmokep.pp
added. commit 49bd3ad0a443459e3acd6ed451f49c724bd66eb0 Author: Miroslav Grepl <mgrepl> Date: Mon Oct 22 15:44:00 2012 +0200 Allow smokeping to execute fping in the neutils domain
Just for the record, I had still this one to add after updgrading to selinux-policy-3.10.0-156.fc17.noarch. I hadn't applied your temporary fix, maybe it would've done the same effect. module mypol.pp 1.0; require { type bin_t; type httpd_smokeping_cgi_script_t; type smokeping_t; type httpd_t; class capability net_raw; class unix_stream_socket { shutdown ioctl getattr accept }; class file { read execute open execute_no_trans }; class rawip_socket create; } #============= httpd_smokeping_cgi_script_t ============== allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown }; #!!!! This avc is allowed in the current policy allow httpd_smokeping_cgi_script_t self:capability net_raw; #!!!! This avc is allowed in the current policy allow httpd_smokeping_cgi_script_t self:rawip_socket create; #============= smokeping_t ============== #!!!! This avc is allowed in the current policy
Just for the record, there is another bug open about this #868893. SELinux doesn't produce any logs into audit.log any longer, but smokeping fcgi page works only if selinux is permissive. weird.
Could you test it with http://koji.fedoraproject.org/koji/buildinfo?buildID=361848
thanks, doesn't give errors anymore. But it didn't anymore even without it, I had applied manually the above rules. I can remove my additions if you tell me how :) The weird thing is that the selinux makes smokeping web page fail, even though it doesn't log anything anymore into audit.log. If I set it to permissive, smokeping fcgi works fine.
I forgot to mention clearly: So I tried your package from Koji, that is.
Please remove your local policy # semodule -r mypol
thanks, I removed the policies using the file from my policy in comment #6. SELinux won't nag any longer, but somehow it still prevents smokeping from working. setenforce 0 fixes smokeping fcgi.
and are you getting AVC msgs? # setenforce 1 # setneforce 0 re-test and execute # ausearch -m avc,user_avc
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.