Linux Archive - selinux blocking ganglia-web

Linux Archive

Linux Archive (http://www.linux-archive.org/)

- Fedora User (http://www.linux-archive.org/fedora-user/)

- - selinux blocking ganglia-web (http://www.linux-archive.org/fedora-user/708187-selinux-blocking-ganglia-web.html)

"Kevin H. Hobbs"

09-28-2012 06:25 PM

selinux blocking ganglia-web

I just replaced the machine that runs ganglia.

httpd is being prevented from connecting to gmond.

All that is displayed is:

There was an error collecting ganglia data (127.0.0.1:8652): fsockopen
error: Permission denied

There's a message in /var/log/messages that blames selinux every time I
load the page.

and sealert says that I could change the behavior by setting
allow_ypbind or httpd_can_network_connect

allow httpd_t unreserved_port_t:tcp_socket name_connect;

I can see how letting httpd make arbitrary connections is bad, so how
can I punch a hole in the rule just for ganglia?

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Jack Craig

09-28-2012 06:34 PM

selinux blocking ganglia-web

doesnt the selinux troubleshooter offer suggestions?

On Fri, Sep 28, 2012 at 11:25 AM, Kevin H. Hobbs <hobbsk@ohio.edu> wrote:

I just replaced the machine that runs ganglia.

httpd is being prevented from connecting to gmond.

All that is displayed is:

There was an error collecting ganglia data (127.0.0.1:8652): fsockopen

error: Permission denied

There's a message in /var/log/messages that blames selinux every time I

load the page.

and sealert says that I could change the behavior by setting

allow_ypbind or httpd_can_network_connect

allow httpd_t unreserved_port_t:tcp_socket name_connect;

I can see how letting httpd make arbitrary connections is bad, so how

can I punch a hole in the rule just for ganglia?

--

users mailing list

users@lists.fedoraproject.org

To unsubscribe or change subscription options:

https://admin.fedoraproject.org/mailman/listinfo/users

Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Have a question? Ask away: http://ask.fedoraproject.org

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

"Kevin H. Hobbs"

09-28-2012 06:55 PM

selinux blocking ganglia-web

> From: Jack Craig <jack.craig.aptos@gmail.com>
> doesnt the selinux troubleshooter offer suggestions?

I'm a bit embarrassed to admit that other than the very general boolians
that "sudo sealert -l $UUID" suggests setting at the end of it's output,
it also suggested a very specific fix at the top of it's output way off
my terminal :

sudo semanage port -a -t http_port_t -p tcp 8652

allowed httpd to connect to gmeted.

Thank you for your time.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Jack Craig

09-28-2012 08:31 PM

selinux blocking ganglia-web

On Fri, Sep 28, 2012 at 11:55 AM, Kevin H. Hobbs <hobbsk@ohio.edu> wrote:

> From: Jack Craig <jack.craig.aptos@gmail.com>

> doesnt the selinux troubleshooter offer suggestions?

I'm a bit embarrassed to admit that other than the very general boolians

that "sudo sealert -l $UUID" suggests setting at the end of it's output,

it also suggested a very specific fix at the top of it's output way off

my terminal :

*sudo semanage port -a -t http_port_t -p tcp 8652

allowed httpd to connect to gmeted.

Thank you for your time.

Happy to Hint .. :)
*

--

users mailing list

users@lists.fedoraproject.org

To unsubscribe or change subscription options:

https://admin.fedoraproject.org/mailman/listinfo/users

Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Have a question? Ask away: http://ask.fedoraproject.org

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Daniel J Walsh

09-29-2012 10:59 AM

selinux blocking ganglia-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/28/2012 02:55 PM, Kevin H. Hobbs wrote:
>> From: Jack Craig <jack.craig.aptos@gmail.com> doesnt the selinux
>> troubleshooter offer suggestions?
>
> I'm a bit embarrassed to admit that other than the very general boolians
> that "sudo sealert -l $UUID" suggests setting at the end of it's output, it
> also suggested a very specific fix at the top of it's output way off my
> terminal :
>
> sudo semanage port -a -t http_port_t -p tcp 8652
>
> allowed httpd to connect to gmeted.
>
> Thank you for your time.
>
>
>
Sometimes those reports are worth reading...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBm1JcACgkQrlYvE4MpobNTrwCgnZIYyDWCQ5 7PfK26k0Ux0hwF
eQMAoJoIVRsnGSthoBAoYtsjDJdvm0rk
=H3cX
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

"Kevin H. Hobbs"

10-01-2012 11:02 AM

selinux blocking ganglia-web

On 09/29/2012 06:59 AM, Daniel J Walsh wrote:
>
> Sometimes those reports are worth reading...
>

Yes, yes they are.

I should have piped it to less.

The specific solution was at the top where it's the first thing
the reader sees in a pager like less or in the GUI selinux
debugger. This is the correct placement.

I missed the specific solution the first time I read the message
because I read from bottom to top as I scrolled backwards through
my terminal output where I saw first a description of how to let
httpd make arbitrary connections (bad), followed by some very
general information about the selinux alert itself, where I
stopped reading.

Google was _very_ unhelpful on the subject of selinux, ganglia,
and httpd. All I got were recommendations for some cluster suit
that selinux had to be disabled entirely (it does not.)

Dear Google,

The command :

semanage port -a -t http_port_t -p tcp 8652

allows httpd to talk to ganglia's gmetad despite the selinux
restriction on httpd making arbitrary connections.

I misspelled gmetad in the earlier message.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

All times are GMT. The time now is 12:24 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.