Created attachment 631387 [details]
File: type

Created attachment 631388 [details]
File: hashmarkername

and after allowing that, it continues to nag:


SELinux is preventing /usr/sbin/fping from using the net_raw capability.

Plugin: catchall 
you want to allow fping to have net_raw access on the capabilityIf you believe that fping should have the net_raw capability by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep fping /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

the cgi script needs to be able to run ping in the ping_t domain

Temporary fix:

mkdir mysmokep; cd mysmokep; echo "policy_module(mysmokep, 1.0.0) gen_require(\` type httpd_smokeping_cgi_script_t; ') netutils_domtrans_ping(httpd_smokeping_cgi_script_t)" > mysmokep.te

make -f /usr/share/selinux/devel/Makefile mysmokep.pp

semodule -i mysmokep.pp

added.

commit 49bd3ad0a443459e3acd6ed451f49c724bd66eb0
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Oct 22 15:44:00 2012 +0200

    Allow smokeping to execute fping in the neutils domain

Just for the record, I had still this one to add after updgrading to selinux-policy-3.10.0-156.fc17.noarch. I hadn't applied your temporary fix, maybe it would've done the same effect.


module mypol.pp 1.0;

require {
	type bin_t;
	type httpd_smokeping_cgi_script_t;
	type smokeping_t;
	type httpd_t;
	class capability net_raw;
	class unix_stream_socket { shutdown ioctl getattr accept };
	class file { read execute open execute_no_trans };
	class rawip_socket create;
}

#============= httpd_smokeping_cgi_script_t ==============
allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown };
#!!!! This avc is allowed in the current policy

allow httpd_smokeping_cgi_script_t self:capability net_raw;
#!!!! This avc is allowed in the current policy

allow httpd_smokeping_cgi_script_t self:rawip_socket create;

#============= smokeping_t ==============
#!!!! This avc is allowed in the current policy

Just for the record, there is another bug open about this #868893. SELinux doesn't produce any logs into audit.log any longer, but smokeping fcgi page works only if selinux is permissive. weird.

Could you test it with

http://koji.fedoraproject.org/koji/buildinfo?buildID=361848

thanks, doesn't give errors anymore. But it didn't anymore even without it, I had applied manually the above rules. I can remove my additions if you tell me how :)

The weird thing is that the selinux makes smokeping web page fail, even though it doesn't log anything anymore into audit.log. If I set it to permissive, smokeping fcgi works fine.

I forgot to mention clearly: So I tried your package from Koji, that is.

Please remove your local policy

# semodule -r mypol

thanks, I removed the policies using the file from my policy in comment #6.

SELinux won't nag any longer, but somehow it still prevents smokeping from working. setenforce 0 fixes smokeping fcgi.

and are you getting AVC msgs?

# setenforce 1
# setneforce 0

re-test and execute

# ausearch -m avc,user_avc

selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17

Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).

selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.