Posted on 06-25-2015 09:33 AM
I am trying to get Netboot working on a CentOS 7 box.
However I can't get it to work without having SELinux in Permissive mode.
Just not sure how to get make the policy change, have tried running the solution as suggested by SEAlert ("semodule -i mypol.pp") but it doesn't seem to help.
SELinux is preventing /usr/sbin/ss from getattr access on the file /proc/sys/net/ipv4/ip_local_port_range.
Plugin catchall (100. confidence) suggests *
If you believe that ss should be allowed getattr access on the ip_local_port_range file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/ip_local_port_range [ file ]
Source ss
Source Path /usr/sbin/ss
Port <Unknown>
Host <Unknown>
Source RPM Packages iproute-3.10.0-21.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-23.el7_1.8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name CasperTestServer
Platform Linux CasperTestServer 3.10.0-229.el7.x86_64 #1
SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-06-24 03:59:24 BST
Last Seen 2015-06-24 03:59:24 BST
Local ID b14640aa-1cef-4244-b055-e356a268e348
Raw Audit Messages
type=AVC msg=audit(1435114764.363:1983): avc: denied { getattr } for pid=28172 comm="ss" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=67275 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
Posted on 06-25-2015 06:06 PM
disable selinux?
Posted on 06-26-2015 07:40 AM
SELinux should always be in Enforcing mode. Always because it can protect you.