CentOS 6.5 – Fping – SE Linux – Missing Type Enforcement (TE) Allow Rule
Hi gents,
I seem to have a small issue with fping and Observium(a monitoring solution). The particular VPS I’m using does have SELinux enabled and it seems to be causing issues when the httpd process is attempting to use Fping?
Here is what I know so far :
Output from “audit2why -a” :
————-
3 thoughts on - CentOS 6.5 – Fping – SE Linux – Missing Type Enforcement (TE) Allow Rule
This confusing output means that the first “allow” line is in the current policy, and the second is not.
— greg
I’ve just recreated the module and enabled it, yet I can’t seem to allow fping to be used by the httpd process. It seems that the last error was just a byproduct of a bad module I had not properly removed. Are there any additional troubleshooting steps I could try?
What I’ve done so far :
1) grep fping /var/log/audit/audit.log | audit2allow -M observium_fping
2) semodule -i observium_fping.pp
3) semodule -l | grep fping
**
fping 1.0
observium_fping 1.0
**
4) cat /var/log/audit/audit.log | grep fping
type=AVC msg=audit(1414295291.964:357): avc: denied { create } for
pidR83 comm=”fping” scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1414295291.964:357): arch
You want to add this rule.
#cat observium_fping.te policy_module(observium_fping, 1.0)
gen_require(`
type httpd_t;
‘)
allow httpd_t self:rawip_socket create_socket_perms;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i observium_fping.pp