SELinux Misc: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→Links) |
(→Links) |
||
| Zeile 26: | Zeile 26: | ||
*https://unix.stackexchange.com/questions/675203/selinux-blocks-ping-from-php-exec | *https://unix.stackexchange.com/questions/675203/selinux-blocks-ping-from-php-exec | ||
*https://forums.centos.org/viewtopic.php?t=49172 | *https://forums.centos.org/viewtopic.php?t=49172 | ||
| + | *https://phpipam.net/news/selinux-policy-for-icmp-checks/ | ||
Version vom 21. November 2022, 15:55 Uhr
Create file my-httpd-php-ping.te and put this in it
- cat my-httpd-php-ping.te
module my-httpd-php-ping 1.0;
require {
type httpd_t;
class capability { net_admin net_raw };
class icmp_socket create;
class rawip_socket { create getopt read setopt write };
}
#============= httpd_t ==============
allow httpd_t self:capability { net_admin net_raw };
allow httpd_t self:icmp_socket create;
allow httpd_t self:rawip_socket { create getopt read setopt write };
Compile it to a SELinux module like so
- checkmodule -M -m -o my-httpd-php-ping.mod my-httpd-php-ping.te
- semodule_package -o my-httpd-php-ping.pp -m my-httpd-php-ping.mod
And install it:
- semodule -i my-httpd-php-ping.pp
Afterwards, enable SELinux again
- setenforce 1