Description of problem: With selinux enabled and in enforcing mode collectd is unable to ping using its ping plugin. collectd[871]: ping_sendto: Permission denied Not that there are NO denials logged by selinux in either the message log or the audit log. Setting SELINUX=permissive and rebooting fixes the issue and collectd IS able to ping. Version-Release number of selected component (if applicable): Completely up to date Fedora 19 system. How reproducible: Every time. Steps to Reproduce: 1. Install Collectd and the collectd ping plugin, 2. Set collectd up to ping one of more hosts. 3. Watch the message log for errors. 4. Set SELINUX=permissive and again test the ping plugin. 5. Now works. Actual results: Collectd not able to ping. Expected results: Should work. Additional info:
commit a5cf75d089d49a3e579fb6ba88db31b0ba17a04a Author: Miroslav Grepl <mgrepl> Date: Mon Jul 22 10:32:53 2013 +0200 Allow collectd to use ping plugin
selinux-policy-3.12.1-66.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-66.fc19
Package selinux-policy-3.12.1-66.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-66.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-13543/selinux-policy-3.12.1-66.fc19 then log in and leave karma (feedback).
Confirm that it is fixed with the policy update. Thanks.
selinux-policy-3.12.1-66.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
I initially thought the issue was fixed. But I was wrong. It still logging collectd[2837]: ping_sendto: Permission denied
What AVC msgs are you getting? Re-test and run # ausearch -m avc,user_avc -ts recent
No AVC messages are displaying. It still logging collectd[5352]: ping_sendto: Permission denied
Try after semodule -DB, which turns off dontaudit rules. semodule -DB Try out collectd semodule -B Gather the AVC's related to collectd.
Pease see below the AVC message time->Thu Aug 15 12:19:58 2013 type=SYSCALL msg=audit(1376531398.861:1625): arch=c000003e syscall=44 success=no exit=-13 a0=4 a1=7faefc6f59f0 a2=54 a3=0 items=0 ppid=1 pid=1526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=AVC msg=audit(1376531398.861:1625): avc: denied { write } for pid=1526 comm="collectd" lport=1 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=rawip_socket time->Thu Aug 15 12:19:59 2013 type=SYSCALL msg=audit(1376531399.861:1629): arch=c000003e syscall=44 success=no exit=-13 a0=4 a1=7faefc6f59f0 a2=54 a3=0 items=0 ppid=1 pid=1526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=AVC msg=audit(1376531399.861:1629): avc: denied { write } for pid=1526 comm="collectd" lport=1 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=rawip_socket
That would make sense. 88a045e26eda07fd047f5de84141be5d8707f65d fixes this in git.
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Package selinux-policy-3.12.1-71.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.