FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 09-28-2012, 06:25 PM
"Kevin H. Hobbs"
 
Default selinux blocking ganglia-web

I just replaced the machine that runs ganglia.

httpd is being prevented from connecting to gmond.

All that is displayed is:

There was an error collecting ganglia data (127.0.0.1:8652): fsockopen
error: Permission denied

There's a message in /var/log/messages that blames selinux every time I
load the page.

and sealert says that I could change the behavior by setting
allow_ypbind or httpd_can_network_connect

allow httpd_t unreserved_port_t:tcp_socket name_connect;

I can see how letting httpd make arbitrary connections is bad, so how
can I punch a hole in the rule just for ganglia?



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-28-2012, 06:34 PM
Jack Craig
 
Default selinux blocking ganglia-web

doesnt the selinux troubleshooter offer suggestions?


On Fri, Sep 28, 2012 at 11:25 AM, Kevin H. Hobbs <hobbsk@ohio.edu> wrote:

I just replaced the machine that runs ganglia.



httpd is being prevented from connecting to gmond.



All that is displayed is:



There was an error collecting ganglia data (127.0.0.1:8652): fsockopen

error: Permission denied



There's a message in /var/log/messages that blames selinux every time I

load the page.



and sealert says that I could change the behavior by setting

allow_ypbind or httpd_can_network_connect



allow httpd_t unreserved_port_t:tcp_socket name_connect;



I can see how letting httpd make arbitrary connections is bad, so how

can I punch a hole in the rule just for ganglia?








--

users mailing list

users@lists.fedoraproject.org

To unsubscribe or change subscription options:

https://admin.fedoraproject.org/mailman/listinfo/users

Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Have a question? Ask away: http://ask.fedoraproject.org




--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-28-2012, 06:55 PM
"Kevin H. Hobbs"
 
Default selinux blocking ganglia-web

> From: Jack Craig <jack.craig.aptos@gmail.com>
> doesnt the selinux troubleshooter offer suggestions?

I'm a bit embarrassed to admit that other than the very general boolians
that "sudo sealert -l $UUID" suggests setting at the end of it's output,
it also suggested a very specific fix at the top of it's output way off
my terminal :

sudo semanage port -a -t http_port_t -p tcp 8652

allowed httpd to connect to gmeted.

Thank you for your time.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-28-2012, 08:31 PM
Jack Craig
 
Default selinux blocking ganglia-web

On Fri, Sep 28, 2012 at 11:55 AM, Kevin H. Hobbs <hobbsk@ohio.edu> wrote:

> From: Jack Craig <jack.craig.aptos@gmail.com>

> doesnt the selinux troubleshooter offer suggestions?



I'm a bit embarrassed to admit that other than the very general boolians

that "sudo sealert -l $UUID" suggests setting at the end of it's output,

it also suggested a very specific fix at the top of it's output way off

my terminal :



*sudo semanage port -a -t http_port_t -p tcp 8652



allowed httpd to connect to gmeted.



Thank you for your time.

Happy to Hint ..
*




--

users mailing list

users@lists.fedoraproject.org

To unsubscribe or change subscription options:

https://admin.fedoraproject.org/mailman/listinfo/users

Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Have a question? Ask away: http://ask.fedoraproject.org




--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-29-2012, 10:59 AM
Daniel J Walsh
 
Default selinux blocking ganglia-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/28/2012 02:55 PM, Kevin H. Hobbs wrote:
>> From: Jack Craig <jack.craig.aptos@gmail.com> doesnt the selinux
>> troubleshooter offer suggestions?
>
> I'm a bit embarrassed to admit that other than the very general boolians
> that "sudo sealert -l $UUID" suggests setting at the end of it's output, it
> also suggested a very specific fix at the top of it's output way off my
> terminal :
>
> sudo semanage port -a -t http_port_t -p tcp 8652
>
> allowed httpd to connect to gmeted.
>
> Thank you for your time.
>
>
>
Sometimes those reports are worth reading...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBm1JcACgkQrlYvE4MpobNTrwCgnZIYyDWCQ5 7PfK26k0Ux0hwF
eQMAoJoIVRsnGSthoBAoYtsjDJdvm0rk
=H3cX
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-01-2012, 11:02 AM
"Kevin H. Hobbs"
 
Default selinux blocking ganglia-web

On 09/29/2012 06:59 AM, Daniel J Walsh wrote:
>
> Sometimes those reports are worth reading...
>

Yes, yes they are.

I should have piped it to less.

The specific solution was at the top where it's the first thing
the reader sees in a pager like less or in the GUI selinux
debugger. This is the correct placement.

I missed the specific solution the first time I read the message
because I read from bottom to top as I scrolled backwards through
my terminal output where I saw first a description of how to let
httpd make arbitrary connections (bad), followed by some very
general information about the selinux alert itself, where I
stopped reading.

Google was _very_ unhelpful on the subject of selinux, ganglia,
and httpd. All I got were recommendations for some cluster suit
that selinux had to be disabled entirely (it does not.)

Dear Google,

The command :

semanage port -a -t http_port_t -p tcp 8652

allows httpd to talk to ganglia's gmetad despite the selinux
restriction on httpd making arbitrary connections.

I misspelled gmetad in the earlier message.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 10:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org