Looks like it's unceremoniously hanging when selinux denies the socket.
Lovely.
adam.
On 2013-05-03 13:30, Laurens Vets wrote:
I have no idea... These are the log entries I get in /var/log/audit/log:
type=AVC msg=audit(1367502087.785:19745): avc: denied { name_connect } for pid=4480 comm="whois" dest=43 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1367502087.785:19745): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=fed8b0 a2=10 a3=3 items=0 ppid=4479 pid=4480 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1503 comm="whois" exe="/usr/bin/jwhois" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1367502087.786:19746): avc: denied { name_connect } for pid=4480 comm="whois" dest=43 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1367502087.786:19746): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=fed900 a2=10 a3=3 items=0 ppid=4479 pid=4480 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1503 comm="whois" exe="/usr/bin/jwhois" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1367502087.786:19747): avc: denied { name_connect } for pid=4480 comm="whois" dest=43 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1367502087.786:19747): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=fed950 a2=10 a3=3 items=0 ppid=4479 pid=4480 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1503 comm="whois" exe="/usr/bin/jwhois" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1367502087.786:19748): avc: denied { name_connect } for pid=4480 comm="whois" dest=43 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1367502087.786:19748): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=fed9a0 a2=10 a3=3 items=0 ppid=4479 pid=4480 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1503 comm="whois" exe="/usr/bin/jwhois" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1367502087.786:19749): avc: denied { name_connect } for pid=4480 comm="whois" dest=43 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1367502087.786:19749): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=fed9f0 a2=10 a3=3 items=0 ppid=4479 pid=4480 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1503 comm="whois" exe="/usr/bin/jwhois" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
The following made it work:
[root@box audit]# yum install policycoreutils-python
[root@box audit]# grep whois /var/log/audit/audit.log | audit2allow -M whois ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i whois.pp
[root@box audit]# semodule -i whois.pp
[root@box audit]# semodule -l | grep whois whois 1.0 [root@box audit]#
Maybe the subprocess isn't timing out or so?
On 2013-05-03 13:53, Tom Laermans wrote: You make Dan Walsh cry.
How does selinux not allow apache to run whois, yet you see a whois process using up 100% ?
Tom
On 3/05/2013 10:38, Adam Armstrong wrote: Only if you disable selinux :D
Laurens Vets laurens@daemon.be wrote:
Found the issue. We are running Observium on CentOS 6 (Yes, we followed the RHEL documentation to the letter). The default selinux policy does not allow whois be run from within Apache. After we fixed this, whois worked.
Is RHEL/CentOS still an officially supported OS for Observium?
On 2013-05-02 20:20, Adam Armstrong wrote: I have no idea what's causing this. It works fine for me.
It's the whois process getting all badly behaved, so it looks like it's their problem. Perhaps that particular version doesn't like being run from within PHP without a proper terminal?
Of course, you don't tell us the versions of anything you're running at all, so I don't know why I'm even bothering...
adam.
On 2013-05-02 14:51, Laurens Vets wrote: Hello list, When Observium tries to do a whois of an RFC 1918 address, whois goes to 100% CPU and stays there... it doesn't seems to exit. I have to manually kill the whois process. Top output: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4480 apache 20 0 12716 1148 908 R 100.0 0.0 5:06.30 whois Process output: [root@box observium]# ps aux | grep whois apache 4479 0.0 0.0 11332 1164 ? S 13:41 0:00 sh -c /usr/bin/whois 10.250.1.1 | grep -v % apache 4480 99.8 0.0 12716 1148 ? R 13:41 5:15 /usr/bin/whois 10.250.1.1 root 7325 0.0 0.0 103248 836 pts/1 S+ 13:46 0:00 grep whois [root@box observium]# I suspect that either whois should either timeout or don't lookup RFC 1918 addresses (or multicast or loopback?). Or should I wait longer then 5 minutes? Kind regards, Laurens _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium