Ok, I did just what you have here. I'm still getting the same Permission
denied.
My steps:
semanage permissive -d httpd_t
I created a file "httpd_t.te" as so:
cat >httpd_t.te <<EOF
module nfsen 1.0;
require {
type unconfined_t;
type httpd_t;
class unix_stream_socket connectto;
}
#================ httpd_t ===========
Allow httpd_t unconfined_t:unix_stream_socket connectto;
EOF
Then did:
make -f /usr/share/selinux/devel/Makefile -C .
semanage module -a ./httpd_t.pp
service httpd restart
Then in /var/log/messages:
..... avc: denied { connectto } for pi=5955 comm="httpd"
path="/var/nfsen/socket/nfsen.comm" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
I've never had to do selinux before, so I'm a bit lost. What I don't get is
that the tcontext is initrc_t. I'm equating tcontext to the target, which would
be nfsen.comm, right?
So looking at that file it is clearly httpd_sys_rw_content_t
srw-rw----. nfsen nfsenadmin system_u:object_r:httpd_sys_rw_content_t:s0
nfsen.comm
There are no messages is /usr/log/audit/audit.log
The apache user is in the nfsenadmin group.
Any idea what I did wrong?
From: Basilio Kublik [mailto:[email protected]]
Sent: Wednesday, July 17, 2013 11:30 AM
To: Root, Paul T; 'Fabián Mejía'; '[email protected]'
Subject: Re: [Nfdump-discuss] NFSEN and SELinux was: RE: nfcapd not getting any
data on new install
Hi Paul,
I just reproduce up to some degree your environment, and it worked properly for
me after allowing the connection to unix_stream_sockets from httpd on my system
using audit2allow, the content of the .te file can be seen below:
### begin of module ###
module nfsen 1.0;
require {
type unconfined_t;
type httpd_t;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t unconfined_t:unix_stream_socket connectto;
### end of module ###
After loading the module in my particular case the error message went away and
could load the web interface without a glitch.
My SELinux permissions on the file are slightly different but should not matter
for this case I believe:
system_u:object_r:httpd_var_run_t:s0 /var/run/nfsen/nfsen.comm
Please try to generate the module again on your system, but before loading it
with semodule -i, check you have the:
allow httpd_t unconfined_t:unix_stream_socket connectto;
As part of your .te file.
Optionally you could write the content of the module above into a .te file
within an empty directory and execute "make -f
/usr/share/selinux/devel/Makefile -C ." to build the .pp file and then load it
on your system.
Hope this helps,
--
Basilio Kublik - IT Infrastructure Specialist
European Organisation for Astronomical Research in the Southern Hemisphere
3107 Alonso de Cordova, Vitacura / Casilla 19001, Santiago 19, Chile
Email: [email protected]<mailto:[email protected]> Tel: +56 2
24633250 Fax: +56 2 24633105
From: <Root>, Paul T
<[email protected]<mailto:[email protected]>>
Date: Wednesday, July 17, 2013 11:27 AM
To: Basilio Kublik <[email protected]<mailto:[email protected]>>, 'Fabián Mejía'
<[email protected]<mailto:[email protected]>>,
"'[email protected]<mailto:'[email protected]>'"
<[email protected]<mailto:[email protected]>>
Subject: RE: [Nfdump-discuss] NFSEN and SELinux was: RE: nfcapd not getting any
data on new install
I get
denied { connectto } for pid=xxx comm.="httpd"
path="/var/nfsend/socket/nfsen.comm" scontext=unconfined_u:system_r:httpd:_t:s0
txontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Which is weird, because an ls -Z on /var/nfsen/socket/nfsen.comm is
system_u:object_r:httpd_sys_rw_content_t:s0
httpd_can_network_connect is on
Paul.
From: Basilio Kublik [mailto:[email protected]]
Sent: Wednesday, July 17, 2013 9:37 AM
To: Root, Paul T; 'Fabián Mejía';
'[email protected]<mailto:'[email protected]>'
Subject: Re: [Nfdump-discuss] NFSEN and SELinux was: RE: nfcapd not getting any
data on new install
Hi Paul,
What message do you get in /var/log/audit/audit.log when trying to load
nfsen.php, you will probably have to allow the connection to the socket for the
httpd service, you may try the following command:
setsebool -P httpd_can_network_connect 1
Let me know if this helps.
Cheers,
--
Basilio Kublik - IT Infrastructure Specialist
European Organisation for Astronomical Research in the Southern Hemisphere
3107 Alonso de Cordova, Vitacura / Casilla 19001, Santiago 19, Chile
Email: [email protected]<mailto:[email protected]> Tel: +56 2
24633250 Fax: +56 2 24633105
From: <Root>, Paul T
<[email protected]<mailto:[email protected]>>
Date: Tuesday, July 16, 2013 4:22 PM
To: 'Fabián Mejía'
<[email protected]<mailto:[email protected]>>,
"'[email protected]<mailto:'[email protected]>'"
<[email protected]<mailto:[email protected]>>
Subject: [Nfdump-discuss] NFSEN and SELinux was: RE: nfcapd not getting any
data on new install
Ok, so I was able to get this almost working.
I've created a user and a group (nfsen/nfsenadmin) that own the files in
/var/nfsen (pids, filters, and data, I moved profile-data and profile-stat to
/var/nfsen), and made nfscapd have the selinux type httpd_exec_t. Then I moved
the socket file from /var/nfsen/run (which needs to be type httpd_cache_t) to
its own directory /var/nfsen/socket, which has a type of
httpd_sys_rw_content_t. It also has a user of system_u, but when the file is
created, it refuses to use that, and is created with unconfinded_u (I think).
So I just run a restorecon after the nfsen start.
All that gets nfcapd to do the right thing and create data.
I then grabbed all the httpd_t entries from /var/log/audit/audit.log and piped
that into audit2allow to create a new policy.
So that gets me almost there. But when going to the nfsen.php page, I get
ERROR: nfsend connect() error: Permission denied!
If I set just the httpd_t module to permissive, I get a working screen. But I
really need the whole thing.
Any ideas on getting the rest of the way to full SELInux compliance?
Thanks, Paul.
From: Fabián Mejía [mailto:[email protected]]
Sent: Thursday, July 11, 2013 12:54 PM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Nfdump-discuss] nfcapd not getting any data on new install
Hello Paul
I still have this issue (partially). People in this list said me there is a
rule blocking the traffic, but iptables/ip6tables and selinux are shutdown or
disable (how you say). I found that nfdump saves data only if they come from
same network (from server's point of view), I explained it here:
http://www.mail-archive.com/[email protected]/msg00810.html
It works but I don't know why I can't set other internal interface as source
interface in the router's config (ip flow-export source <interface>). The
routing is OK and iptables/ip6tables/selinux are down.
If you solve this, please report it to the list.
Saludos,
Fabián Mejía
El 2013-07-10 15:37, Root, Paul T escribió:
Hi,
I'm building nfdump-1.6.10 and nfsen-1.3.6p1 on a RHEL 6
server. I've shutdown iptables and ip6tables and have selinux set to
disabled. Eventually, I'll need all of those running.
Like a few others before me, I'm not getting anything in the
data files. All of them are sized at 276 bytes. IE no data.
I have tcpdump running on the port and I see packets come in
every 5 seconds from the router, actually it's an ASA.
I configured nfdump with: --enable-nsel -enable-nfprofiles
-enable-nftracker. And various combinations of all three of those. But never
any data.
Sorry, I can't cut and paste, it's a physically separated
network, no access from outside.
Is there a way to look at the tcpdump data to see if that is
good stuff, or is there a way with nfcapd to give more info on why its ignoring
the packets.
My setup and observed results are identical to this thread:
http://www.mail-archive.com/[email protected]/msg00807.html
though my packet sizes on the tcpdump are larger. 1000 to 1500
bytes mostly. I have followed the advice of both replies, to no avail.
Any help would be appreciated.
Thanks,
Paul.
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
