Netboot webpage on CentOS 7 fails to run properly if SELinux is in Enabled mode

New Contributor II

I am trying to get Netboot working on a CentOS 7 box. However I can't get it to work without having SELinux in Permissive mode.
Just not sure how to get make the policy change, have tried running the solution as suggested by SEAlert ("semodule -i mypol.pp") but it doesn't seem to help.

SELinux is preventing /usr/sbin/ss from getattr access on the file /proc/sys/net/ipv4/ip_local_port_range.

Plugin catchall (100. confidence) suggests *

If you believe that ss should be allowed getattr access on the ip_local_port_range file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:

grep ss /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/ip_local_port_range [ file ]
Source ss
Source Path /usr/sbin/ss
Port <Unknown>
Host <Unknown>
Source RPM Packages iproute-3.10.0-21.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-23.el7_1.8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name CasperTestServer
Platform Linux CasperTestServer 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-06-24 03:59:24 BST
Last Seen 2015-06-24 03:59:24 BST
Local ID b14640aa-1cef-4244-b055-e356a268e348

Raw Audit Messages
type=AVC msg=audit(1435114764.363:1983): avc: denied { getattr } for pid=28172 comm="ss" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=67275 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file


Valued Contributor

disable selinux?

New Contributor II

SELinux should always be in Enforcing mode. Always because it can protect you.