selinux+ping+apache

[ToinoBiclas]

I'm hosting a page that does some snmp get/walks and makes some pings to test host reachability.

PHP page snippet

Code: Select all

       
$cmdping = 'sh /var/lib/cacti/scripts/other/ping.sh'.' '.get_first_chunk($_POST['targetIPPing']);
$escaped_cmdping=escapeshellcmd($cmdping);

Shell Script is just a direct call to ping

Code: Select all

[root@localhost other]# cat ping.sh
#!/bin/bash

ping -c 5 $1

Whenever i call the ping command thought the webpage, selinux is triggered.
Attempting to solve the issue i performed the following steps:
1. Put selinux in permissive mode for httpd_t
2. ''cat /var/log/audit/audit.log | audit2allow -M httpd_ping'
3. Install the recently created module
4. Activate back selinux for httpd_t

Code: Select all

module httpd_ping 1.0;

require {
        type httpd_t;
        class capability net_raw;
        class rawip_socket { getopt create setopt };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt };

The system no longer complains about raw socket creation. Audit.log has no new lines i.e. 'ausearch -m avc -ts recent' says <no matches>. But the ping still doesn't work... this time i get:

Code: Select all

sh /var/lib/cacti/scripts/other/ping.sh 1.1.1.1

ping: sendmsg: Permission denied
ping: recvmsg: Permission denied
ping: recvmsg: Permission denied
ping: recvmsg: Permission denied
ping: recvmsg: Permission denied
...

SURPRISE, SURPRISE... The fact that the audit.log has nothing is misleading, whenever i put selinux out of the way 'semanage permissive -a httpd_t' the ping runs flawless!

Could you kindly help me workaround this issue?

Thanks in advance

Additional data:

Code: Select all

cat /etc/redhat-release
CentOS release 6.5 (Final)

ls -la /bin/ping
-rwsr-xr-x. 1 root root 36892 Sep 26  2013 /bin/ping

cat /etc/passwd | grep apache
apache:x:48:48:Apache:/var/www:/sbin/nologin

getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> on
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> on
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_nsplugin_transition --> off
allow_user_exec_content --> on
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xguest_exec_content --> off
allow_xserver_execmem --> off
allow_ypbind --> off
allow_zebra_write_config --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
authlogin_radius --> off
awstats_purge_apache_log_files --> off
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> on
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
condor_domain_can_network_connect --> off
cron_can_relabel --> off
daemons_enable_cluster_mode --> on
dhcpc_exec_iptables --> off
domain_kernel_load_modules --> off
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
fips_mode --> on
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
git_cgi_enable_homedirs --> off
git_cgi_use_cifs --> off
git_cgi_use_nfs --> off
git_session_bind_all_unreserved_ports --> off
git_session_users --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
global_ssp --> off
gluster_anon_write --> off
gluster_export_all_ro --> off
gluster_export_all_rw --> on
gpg_agent_env_file --> off
gpg_web_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off
icecast_connect_any --> off
init_upstart --> on
irssi_use_full_network --> off
kdumpgui_run_bootloader --> off
logging_syslog_can_read_tmp --> off
logging_syslogd_can_sendmail --> off
mmap_low_allowed --> off
mozilla_read_content --> off
mysql_connect_any --> off
named_bind_http_port --> off
named_write_master_zones --> off
ncftool_read_user_content --> off
nscd_use_shm --> on
nsplugin_can_network --> on
openvpn_enable_homedirs --> on
openvpn_run_unconfined --> off
piranha_lvs_can_network_connect --> off
postgresql_can_rsync --> off
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
puppet_manage_all_files --> off
puppetmaster_use_db --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_comm --> off
qemu_use_nfs --> on
qemu_use_usb --> on
racoon_read_shadow --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_fusefs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
sepgsql_enable_users_ddl --> on
sepgsql_unconfined_dbadm --> on
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
telepathy_tcp_connect_generic_network_ports --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
tor_bind_all_unreserved_ports --> off
unconfined_login --> on
unconfined_mmap_zero_ignore --> off
unconfined_mozilla_plugin_transition --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_dri --> on
user_direct_mouse --> off
user_ping --> on
user_rw_noexattrfile --> on
user_setrlimit --> on
user_tcp_server --> off
user_ttyfile_stat --> off
varnishd_connect_any --> off
vbetool_mmap_zero_ignore --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_sysfs --> on
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xen_use_nfs --> off
xguest_connect_network --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_object_manager --> off
zabbix_can_network --> off

[ToinoBiclas]

I've just sent the ping command through ssh to another machine and caught the output.

[gulikoza]

IMHO, the architecture of such application is highly unsecure. So poking holes is selinux is the last thing you should do.
Considering shellsock&co, calling shell from a php script should be a no-no.

Have you considered other solutions, for instance http://sourceforge.net/projects/mon has a wide range of monitors (and a pretty simple perl interface for writing new ones) including a web interface to view statuses...

[mainziman]

try this ...

Code: Select all

module httpd_icmp 1.0;

require {
        type httpd_sys_script_t;
        class capability { setuid net_raw };
        class netlink_socket create;
        class rawip_socket { getopt create setopt write read };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability { setuid net_raw };
allow httpd_sys_script_t self:netlink_socket create;
allow httpd_sys_script_t self:rawip_socket { getopt create setopt write read };