LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-29-2013, 11:12 PM   #1
ndhami23
LQ Newbie
 
Registered: May 2012
Location: Nepal
Distribution: Redhat
Posts: 4

Rep: Reputation: Disabled
Selinux blocking ping results ...ICMP ping Timed out (CentOS 6.4, Cacti 0.8.8)


Hi,
I have setup a new server on CentOS release 6.4 OS and install cacti 0.8.8b on it, everything is fine but i am getting ICMP ping Timed out for Ping Results. when i checked the log i am getting

Code:
Dec 27 15:42:23 cacti-ipnet kernel: type=1400 audit(1388138243.303:33420): avc: denied { create } for pid=23069 comm="ping" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket
log messages related to selinux. when i disable selinux icmp timed out error goes away but i dont want to disable selinux on my server for security reason. Is there any way to solve this issue either disabling selinux for icmp or any other way?

Thank you in advance !!!


i am getting follwoing log when i run ,
Code:
[root@cacti-ipnet .ssh]# cat /var/log/messages | audit2allow command.


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t self:rawip_socket create;

#============= httpd_t ==============
allow httpd_t self:rawip_socket create;
can anybody help to how can i fix the issue?

i suppose i fixed the issue related the selinux but again i am getting ping: recvmsg: Permission denied error on /var/log/httpd/error_log file? any suggestions how can i solve this?

Last edited by unSpawn; 12-30-2013 at 05:46 AM. Reason: //Retain 0-reply state (next time please edit your original post)
 
Old 01-01-2014, 05:22 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by ndhami23 View Post
i suppose i fixed the issue related the selinux but
Remember that posting feedback and solutions helps others. So how did you do that?


Quote:
Originally Posted by ndhami23 View Post
again i am getting ping: recvmsg: Permission denied error on /var/log/httpd/error_log file? any suggestions how can i solve this?
Did you change SELinux policy earlier on?
Did you change anything related to the account that httpd runs as?
What does 'getsebool selinuxuser_ping' return?
What does 'stat -c %a `which ping`;' return?
Are there any related (error) messages in audit.log or httpd access / error_log or dmesg?
Is the firewall blocking pings?
 
Old 01-04-2014, 09:55 AM   #3
ndhami23
LQ Newbie
 
Registered: May 2012
Location: Nepal
Distribution: Redhat
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi unSpawn,
Thank you very much for the reply. I am happy to let here know how did i solve the above issue.

Code:
[root@cacti-ipnet .ssh]# cat /var/log/messages | audit2allow command.


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t self:rawip_socket create;

#============= httpd_t ==============
allow httpd_t self:rawip_socket create;
To convert these errors into the required SELinux rules i run the following command:

Code:
grep ping /var/log/audit/audit.log | audit2allow -M mypol

grep ping /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

Code:
semodule -i mypol.pp

[root@cacti-ipnet backup]# semodule -i mypol.pp


[root@cacti-ipnet ~]# cat /var/log/messages | audit2allow


#============= httpd_sys_script_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t self:capability { setuid net_raw };

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t self:rawip_socket { getopt create setopt };

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t self:capability net_raw;

#!!!! This avc is allowed in the current policy
allow httpd_t self:rawip_socket create;

#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t telnetd_port_t:tcp_socket name_connect;

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'file' of the following types:
# xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, user_tmp_t, xdm_spool_t, fonts_cache_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, faillog_t, xdm_tmp_t, xdm_log_t, gnome_home_type, etc_runtime_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, pcscd_var_run_t, xkb_var_lib_t, gconf_home_t, xdm_rw_etc_t, krb5_host_rcache_t, nfs_t, user_home_t

allow xdm_t admin_home_t:file { read write create open setattr };
[root@cacti-ipnet ~]#

and this is how i accomplish this. But again i am getting the same error "ping: recvmsg: Permission denied"

Code:
[root@cacti-ipnet ~]# tail -f /var/log/httpd/error_log
ping: recvmsg: Permission denied
Regarding other queires please find remarks inline,

Did you change SELinux policy earlier on?
no, i havent.

Did you change anything related to the account that httpd runs as?
my one colleague has changed the some permission for the folder and files, but i didnt remember where did he made the changes.

What does 'getsebool selinuxuser_ping' return?
Code:
[root@cacti-ipnet ~]# getsebool selinuxuser_ping
Error getting active value for selinuxuser_ping
[root@cacti-ipnet ~]# getsebool -a | grep ping
user_ping --> on
[root@cacti-ipnet ~]#
What does 'stat -c %a `which ping`;' return?
Code:
[root@cacti-ipnet ~]# stat -c %a `which ping`;
4755
Are there any related (error) messages in audit.log or httpd access / error_log or dmesg?

Code:
[root@cacti-ipnet ~]# tail -f /var/log/httpd/error_log
ping: recvmsg: Permission denied
ping: recvmsg: Permission denied
Code:
[root@cacti-ipnet ~]# tail -f /var/log/messages
Dec 30 16:48:22 cacti-ipnet pulseaudio[9248]: module.c: Failed to load  module "module-x11-xsmp" (argument: "display=localhost:11.0 session_manager=local/unix:@/tmp/.ICE-unix/9870,unix/unix:/tmp/.ICE-unix/9870"): initialization failed.
Dec 30 16:49:28 cacti-ipnet gnome-keyring-daemon[9896]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:28 cacti-ipnet gnome-keyring-daemon[9896]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:30 cacti-ipnet gnome-keyring-daemon[9162]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:30 cacti-ipnet gnome-keyring-daemon[9162]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:37 cacti-ipnet kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jan  4 21:16:45 cacti-ipnet kernel: type=1404 audit(1388849505.581:15): enforcing=1 old_enforcing=0 auid=0 ses=2403
Jan  4 21:16:45 cacti-ipnet dbus: avc:  received setenforce notice (enforcing=1)
Jan  4 21:16:45 cacti-ipnet dbus: avc:  received setenforce notice (enforcing=1)
Jan  4 21:16:45 cacti-ipnet dbus: [system] Reloaded configuration
Code:
[root@cacti-ipnet ~]# tail -f /var/log/audit/audit.log 
type=SYSCALL msg=audit(1388397466.494:31170): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf9a6d80 a2=c4190c a3=c3f5d4 items=0 ppid=4498 pid=4506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=system_u:system_r:iptables_t:s0 key=(null) type=NETFILTER_CFG msg=audit(1388397466.497:31171): table=filter family=2 entries=4

Is the firewall blocking pings?
nope, i have disabled the firewall but still the problem persists. it only works when i disable the selinux .

Can you please suggest any idea to solve the problem or any way i can trace ping: recvmsg: Permission denied error and turn off the error message.

Thank you very much again for the reply. i will be looking for your reply.

Last edited by unSpawn; 01-04-2014 at 10:07 AM. Reason: //Add vBB code tags
 
Old 01-04-2014, 11:33 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
On RHEL, CentOS and Fedora SELinux defaults to using the "targeted" policy. This policy is a balance between usability and enhanced security. It achieves that state by allowing unprivileged user processes to run as unrestricted as possible (in the "unconfined_t" context) and confining network-facing and other processes to their own domains (OpenSSH: "sshd_t", Sendmail: "sendmail_t", AVAHI: "avahi_t") as possible. Especially the latter is important because this makes a machine running the targeted policy more difficult to breach over the 'net through those confined processes as analysis of actual incidents has shown. In all three Linux distributions this policy is the culmination of over a decades worth work of people running SELinux, various contributors and well-known people like Ulrich Drepper, Steve Grubb, Stephen Smalley and Dan Walsh, backed by companies and institutions like the NSA, Red Hat, IBM, HP, MITRE and Tresys. Simply put it's been forged in Fire and tested in combat.

With the below five rules you've managed to override a carefully crafted policy and grant confined contexts access to capabilities they do not have, nor need, by default.


Quote:
Originally Posted by ndhami23 View Post
Code:
[root@cacti-ipnet .ssh]# cat /var/log/messages | audit2allow command.

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t self:rawip_socket create;

#============= httpd_t ==============
allow httpd_t self:rawip_socket create;
Adding "capability setuid" you allow any script running in the "httpd_sys_script_t" context the capability to run any setuid process and with ""rawip_socket"" you allow both "httpd_sys_script_t" and "httpd_t" the capability to sniff raw output of Ethernet devices or generate raw IP traffic.


Quote:
Originally Posted by ndhami23 View Post
Code:
#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t telnetd_port_t:tcp_socket name_connect;
Like the comment says this should have been enabled by flipping a boolean.


Quote:
Originally Posted by ndhami23 View Post
Code:
#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'file' of the following types:
# xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, user_tmp_t, xdm_spool_t, fonts_cache_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, faillog_t, xdm_tmp_t, xdm_log_t, gnome_home_type, etc_runtime_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, pcscd_var_run_t, xkb_var_lib_t, gconf_home_t, xdm_rw_etc_t, krb5_host_rcache_t, nfs_t, user_home_t

allow xdm_t admin_home_t:file { read write create open setattr };
[root@cacti-ipnet ~]#
Apart from the fact that you should not be running a Desktop Manager if this is a headless server, here you allow a confined context access to the /root directory.

*If you didn't understand anything of what I wrote above then you only have to know that whatever you or your colleagues did was nice but wrong.
Please undo those modifications before commencing.


Quote:
Originally Posted by ndhami23 View Post
Quote:
Originally Posted by unspawn
Did you change anything related to the account that httpd runs as?
my one colleague has changed the some permission for the folder and files, but i didnt remember where did he made the changes.
There's no need to "remember": ask him! And run 'rpm -Vv httpd; find /var/www -maxdepth 1 -printf "%Z %m %u:%g %p\n"|column -t'.

Quote:
Originally Posted by ndhami23 View Post
Quote:
Originally Posted by unspawn
Are there any related (error) messages in audit.log or httpd access / error_log or dmesg?
Code:
[root@cacti-ipnet ~]# tail -f
No, you should read the log file and select lines or 'grep' for errors, not just 'tail' a log file.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange Ping Issue - Can't ping localhost but can ping others on LAN code_slinger Linux - Networking 15 03-30-2015 02:39 PM
I cannot ping with command 'ping IP' address but can ping with 'ping IP -I eth0' sanketmlad Linux - Networking 2 07-15-2011 05:32 AM
ICMP and UDP Ping AsadMoeen Linux - Server 2 03-08-2011 11:32 AM
Simple question about command syntax ping/log ping results ohalnet Linux - Networking 1 07-25-2006 04:46 AM
Why ICMP packet for ping and nmap. bruse Linux - Networking 2 12-12-2005 09:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration