Selinux blocking ping results ...ICMP ping Timed out (CentOS 6.4, Cacti 0.8.8)

ndhami23 · 12-29-2013, 11:12 PM

Hi,
I have setup a new server on CentOS release 6.4 OS and install cacti 0.8.8b on it, everything is fine but i am getting ICMP ping Timed out for Ping Results. when i checked the log i am getting

Code:

Dec 27 15:42:23 cacti-ipnet kernel: type=1400 audit(1388138243.303:33420): avc: denied { create } for pid=23069 comm="ping" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket

log messages related to selinux. when i disable selinux icmp timed out error goes away but i dont want to disable selinux on my server for security reason. Is there any way to solve this issue either disabling selinux for icmp or any other way?

Thank you in advance !!!

i am getting follwoing log when i run ,

Code:

[root@cacti-ipnet .ssh]# cat /var/log/messages | audit2allow command.


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t self:rawip_socket create;

#============= httpd_t ==============
allow httpd_t self:rawip_socket create;

can anybody help to how can i fix the issue?

i suppose i fixed the issue related the selinux but again i am getting ping: recvmsg: Permission denied error on /var/log/httpd/error_log file? any suggestions how can i solve this?

unSpawn · 01-01-2014, 05:22 PM

Quote:

Originally Posted by ndhami23

i suppose i fixed the issue related the selinux but

Remember that posting feedback and solutions helps others. So how did you do that?

Quote:

Originally Posted by ndhami23

again i am getting ping: recvmsg: Permission denied error on /var/log/httpd/error_log file? any suggestions how can i solve this?

Did you change SELinux policy earlier on?
Did you change anything related to the account that httpd runs as?
What does 'getsebool selinuxuser_ping' return?
What does 'stat -c %a `which ping`;' return?
Are there any related (error) messages in audit.log or httpd access / error_log or dmesg?
Is the firewall blocking pings?

ndhami23 · 01-04-2014, 09:55 AM

Hi unSpawn,
Thank you very much for the reply. I am happy to let here know how did i solve the above issue.

Code:

[root@cacti-ipnet .ssh]# cat /var/log/messages | audit2allow command.


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t self:rawip_socket create;

#============= httpd_t ==============
allow httpd_t self:rawip_socket create;

To convert these errors into the required SELinux rules i run the following command:

Code:

grep ping /var/log/audit/audit.log | audit2allow -M mypol

grep ping /var/log/audit/audit.log | audit2allow -M mypol

******************** IMPORTANT ***********************
To make this policy package active, execute:

Code:

semodule -i mypol.pp

[root@cacti-ipnet backup]# semodule -i mypol.pp


[root@cacti-ipnet ~]# cat /var/log/messages | audit2allow


#============= httpd_sys_script_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t self:capability { setuid net_raw };

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t self:rawip_socket { getopt create setopt };

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t self:capability net_raw;

#!!!! This avc is allowed in the current policy
allow httpd_t self:rawip_socket create;

#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t telnetd_port_t:tcp_socket name_connect;

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'file' of the following types:
# xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, user_tmp_t, xdm_spool_t, fonts_cache_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, faillog_t, xdm_tmp_t, xdm_log_t, gnome_home_type, etc_runtime_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, pcscd_var_run_t, xkb_var_lib_t, gconf_home_t, xdm_rw_etc_t, krb5_host_rcache_t, nfs_t, user_home_t

allow xdm_t admin_home_t:file { read write create open setattr };
[root@cacti-ipnet ~]#

and this is how i accomplish this. But again i am getting the same error "ping: recvmsg: Permission denied"

Code:

[root@cacti-ipnet ~]# tail -f /var/log/httpd/error_log
ping: recvmsg: Permission denied

Regarding other queires please find remarks inline,

Did you change SELinux policy earlier on?
no, i havent.

Did you change anything related to the account that httpd runs as?
my one colleague has changed the some permission for the folder and files, but i didnt remember where did he made the changes.

What does 'getsebool selinuxuser_ping' return?

Code:

[root@cacti-ipnet ~]# getsebool selinuxuser_ping
Error getting active value for selinuxuser_ping
[root@cacti-ipnet ~]# getsebool -a | grep ping
user_ping --> on
[root@cacti-ipnet ~]#

What does 'stat -c %a `which ping`;' return?

Code:

[root@cacti-ipnet ~]# stat -c %a `which ping`;
4755

Are there any related (error) messages in audit.log or httpd access / error_log or dmesg?

Code:

[root@cacti-ipnet ~]# tail -f /var/log/httpd/error_log
ping: recvmsg: Permission denied
ping: recvmsg: Permission denied

Code:

[root@cacti-ipnet ~]# tail -f /var/log/messages
Dec 30 16:48:22 cacti-ipnet pulseaudio[9248]: module.c: Failed to load  module "module-x11-xsmp" (argument: "display=localhost:11.0 session_manager=local/unix:@/tmp/.ICE-unix/9870,unix/unix:/tmp/.ICE-unix/9870"): initialization failed.
Dec 30 16:49:28 cacti-ipnet gnome-keyring-daemon[9896]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:28 cacti-ipnet gnome-keyring-daemon[9896]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:30 cacti-ipnet gnome-keyring-daemon[9162]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:30 cacti-ipnet gnome-keyring-daemon[9162]: dbus failure unregistering from session: Connection is closed
Dec 30 16:49:37 cacti-ipnet kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jan  4 21:16:45 cacti-ipnet kernel: type=1404 audit(1388849505.581:15): enforcing=1 old_enforcing=0 auid=0 ses=2403
Jan  4 21:16:45 cacti-ipnet dbus: avc:  received setenforce notice (enforcing=1)
Jan  4 21:16:45 cacti-ipnet dbus: avc:  received setenforce notice (enforcing=1)
Jan  4 21:16:45 cacti-ipnet dbus: [system] Reloaded configuration

Code:

[root@cacti-ipnet ~]# tail -f /var/log/audit/audit.log 
type=SYSCALL msg=audit(1388397466.494:31170): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf9a6d80 a2=c4190c a3=c3f5d4 items=0 ppid=4498 pid=4506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=system_u:system_r:iptables_t:s0 key=(null) type=NETFILTER_CFG msg=audit(1388397466.497:31171): table=filter family=2 entries=4

Is the firewall blocking pings?
nope, i have disabled the firewall but still the problem persists. it only works when i disable the selinux

.

Can you please suggest any idea to solve the problem or any way i can trace ping: recvmsg: Permission denied error and turn off the error message.

Thank you very much again for the reply. i will be looking for your reply.

unSpawn · 01-04-2014, 11:33 AM

On RHEL, CentOS and Fedora SELinux defaults to using the "targeted" policy. This policy is a balance between usability and enhanced security. It achieves that state by allowing unprivileged user processes to run as unrestricted as possible (in the "unconfined_t" context) and confining network-facing and other processes to their own domains (OpenSSH: "sshd_t", Sendmail: "sendmail_t", AVAHI: "avahi_t") as possible. Especially the latter is important because this makes a machine running the targeted policy more difficult to breach over the 'net through those confined processes as analysis of actual incidents has shown. In all three Linux distributions this policy is the culmination of over a decades worth work of people running SELinux, various contributors and well-known people like Ulrich Drepper, Steve Grubb, Stephen Smalley and Dan Walsh, backed by companies and institutions like the NSA, Red Hat, IBM, HP, MITRE and Tresys. Simply put it's been forged in Fire and tested in combat.

With the below five rules you've managed to override a carefully crafted policy and grant confined contexts access to capabilities they do not have, nor need, by default.

Quote:

Originally Posted by ndhami23

Code:

[root@cacti-ipnet .ssh]# cat /var/log/messages | audit2allow command.

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t self:rawip_socket create;

#============= httpd_t ==============
allow httpd_t self:rawip_socket create;

Adding "capability setuid" you allow any script running in the "httpd_sys_script_t" context the capability to run any setuid process and with ""rawip_socket"" you allow both "httpd_sys_script_t" and "httpd_t" the capability to sniff raw output of Ethernet devices or generate raw IP traffic.

Quote:

Originally Posted by ndhami23

Code:

#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t telnetd_port_t:tcp_socket name_connect;

Like the comment says this should have been enabled by flipping a boolean.

Quote:

Originally Posted by ndhami23

Code:

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'file' of the following types:
# xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, user_tmp_t, xdm_spool_t, fonts_cache_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, faillog_t, xdm_tmp_t, xdm_log_t, gnome_home_type, etc_runtime_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, pcscd_var_run_t, xkb_var_lib_t, gconf_home_t, xdm_rw_etc_t, krb5_host_rcache_t, nfs_t, user_home_t

allow xdm_t admin_home_t:file { read write create open setattr };
[root@cacti-ipnet ~]#

Apart from the fact that you should not be running a Desktop Manager if this is a headless server, here you allow a confined context access to the /root directory.

*If you didn't understand anything of what I wrote above then you only have to know that whatever you or your colleagues did was nice but wrong.
Please undo those modifications before commencing.

Quote:

Originally Posted by ndhami23

Quote:

Originally Posted by unspawn

Did you change anything related to the account that httpd runs as?

my one colleague has changed the some permission for the folder and files, but i didnt remember where did he made the changes.

There's no need to "remember": ask him! And run 'rpm -Vv httpd; find /var/www -maxdepth 1 -printf "%Z %m %u:%g %p\n"|column -t'.

Quote:

Originally Posted by ndhami23

Quote:

Originally Posted by unspawn

Are there any related (error) messages in audit.log or httpd access / error_log or dmesg?

Code:

[root@cacti-ipnet ~]# tail -f

No, you should read the log file and select lines or 'grep' for errors, not just 'tail' a log file.