Issues adding devices, fping errors

Help
1

RockyLinux 9.4 (Hyper-V VM), fresh install of LibreNMS

The install and initial setup was relatively smooth however now that I am trying to add devices/hosts I am unable to with the error that it cannot ping.

Web UI validation shows:

INFO: fping FAILURES can be ignored if running LibreNMS in a jail without ::1. You may want to test it manually: fping ::1
FAIL: /usr/sbin/fping could not be executed. /usr/sbin/fping must have CAP_NET_RAW capability (getcap) or suid. Selinux exclusions may be required. (/usr/sbin/fping: cannot bind source address : Permission denied)
FAIL: /usr/sbin/fping should have CAP_NET_RAW!
Fix:
setcap cap_net_raw+ep /usr/sbin/fping

Validation via console shows:
[librenms@LibreNMS-H5 ~]$ ./validate.php

Component Version
LibreNMS 24.5.0-27-g7ac1b3303 (2024-06-05T07:16:33-06:00)
DB Schema 2024_04_29_183605_custom_maps_drop_background_suffix_and_background_version (294)
PHP 8.1.29
Python 3.9.18
Database MariaDB 10.5.22-MariaDB
RRDTool 1.7.2
SNMP 5.9.1
===========================================

[OK] Composer Version: 2.7.6
[OK] Dependencies up-to-date.
[WARN] You have no devices.
[FIX]:
Consider adding a device such as localhost: /addhost
[OK] Database connection successful
[OK] Database Schema is current
[OK] SQL Server meets minimum requirements
[OK] lower_case_table_names is enabled
[OK] MySQL engine is optimal
[OK] Database and column collations are correct
[OK] Database schema correct
[OK] MySQL and PHP time match
[OK] Locks are functional
[OK] Python poller wrapper is polling
[OK] Redis is unavailable
[OK] rrd_dir is writable
[OK] rrdtool version ok
[WARN] Your install is over 24 hours out of date, last update: Wed, 05 Jun 2024 13:16:33 +0000
[FIX]:
Make sure your daily.sh cron is running and run ./daily.sh by hand to see if there are any errors.

I run: setcap cap_net_raw+ep /usr/sbin/fping
with no errors and it appears to run without problems.

Despite running the apparent ‘fix’ the problem never seems to be resolved. I can manually run fping from console and it exists in the location that LibreNMS is expecting.

Where else can I look or what else can I try?

2

It’s definitely an SELinux problem. There are deny events in the audit log for fping via http. I’ve set SELinux to permissive temporarily and validation now works without that error as well as adding devices.

1 Like
3

have you followed these instructions regarding selinux?

If they do not work please open a PR or reply to use with working policies so we can fix the documentation.

4

Those were the exact instructions I followed. Here is the output of running them again.

[root@server user]# semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/html(/.)?’
File context for /opt/librenms/html(/.)? already defined, modifying instead
[root@server user]# semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/(rrd|storage)(/.)?’
File context for /opt/librenms/(rrd|storage)(/.)? already defined, modifying instead
[root@server user]# semanage fcontext -a -t httpd_log_t "/opt/librenms/logs(/.)?"
File context for /opt/librenms/logs(/.)? already defined, modifying instead
[root@server user]# semanage fcontext -a -t httpd_cache_t '/opt/librenms/cache(/.)?’
File context for /opt/librenms/cache(/.)? already defined, modifying instead
[root@server user]# semanage fcontext -a -t bin_t ‘/opt/librenms/librenms-service.py’
File context for /opt/librenms/librenms-service.py already defined, modifying instead
[root@server user]# restorecon -RFvv /opt/librenms
Relabeled /opt/librenms/.env from system_u:object_r:httpd_sys_rw_content_t:s0 to system_u:object_r:usr_t:s0
[root@server user]# setsebool -P httpd_can_sendmail=1
[root@server user]# setsebool -P httpd_execmem 1
[root@server user]# chcon -t httpd_sys_rw_content_t /opt/librenms/.env
[root@server user]# checkmodule -M -m -o http_fping.mod http_fping.tt
checkmodule: unable to open http_fping.tt: No such file or directory
[root@server user]# cd /opt
[root@server opt]# checkmodule -M -m -o http_fping.mod http_fping.tt
[root@server opt]# semodule_package -o http_fping.pp -m http_fping.mod
[root@server opt]# semodule -i http_fping.pp

I also rebooted the server and it still doesn’t work without setting SELinux to premissive.

5

I had the same behavior.

To make fping works with selinux on Rocky 9, I needed to make some changes to http_fping policy:

module http_fping 1.0;

require {
type node_t;
type httpd_t;
class capability net_raw;
class icmp_socket create;
class rawip_socket { getopt create setopt write read bind node_bind};
}

#============= httpd_t ==============
allow httpd_t node_t:rawip_socket node_bind;

allow httpd_t self:capability net_raw;
allow httpd_t self:icmp_socket create;
allow httpd_t self:rawip_socket { getopt create setopt write read bind};
6

Underscoredje, what file is this in?

7

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.