Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] TracerouteSender 403 Forbidden Error

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] TracerouteSender 403 Forbidden Error


Chronological Thread 
  • From: "Uhl, George D. (GSFC-423.0)[ARTS]" <>
  • To: Mark Tinberg <>
  • Cc: Andrew Lake <>, "" <>
  • Subject: Re: [perfsonar-user] TracerouteSender 403 Forbidden Error
  • Date: Tue, 29 Apr 2014 21:06:44 +0000
  • Accept-language: en-US

Mark,

Thanks for following up. I was running tcpdump on the traceroute source
host so I used tcpdump to look for it attempting to communicate to the
remote archive server on port 8086. I'm not seeing anything related to
http or traceroute in audit.log.

Thanks again,
-George

On 4/29/14 4:53 PM, "Mark Tinberg"
<>
wrote:

>
>On Apr 29, 2014, at 2:48 PM, Uhl, George D. (GSFC-423.0)[ARTS]
><>
> wrote:
>
>> Could this have something to do with selinux being enabled on the host?
>> I
>> did a tcpdump on this host and never saw any traffic sent to the MA
>>server
>> on port 8086.
>
>tcpdump would see the traffic before any packet filtering or selinux
>policy could affect it so if you aren¹t seeing it inbound then it¹s not
>getting to the machine at all and you can conclude the problem is not on
>the local machine.
>
>> BTW, I'm prohibited from disabling selinux on this particular host.
>
>As a point of reference, SELinux logs to the audit subsystem and if
>auditd is running those logs should end up in /var/log/audit/audit.log
>which should be root-only readable. There are a lot of things which are
>audited by default, look for AVC messages, they should tell you all the
>information about what was denied, if anything. For example, here is
>what happens when apache tries to access a users home directory when
>httpd_enable_homedirs has not been enabled by setsebool.
>
># grep AVC /var/log/audit/audit.log
>type=AVC msg=audit(1398804336.495:232531): avc: denied { search } for
>pid=9160 comm="httpd" name=³test" dev=dm-0 ino=663252
>scontext=unconfined_u:system_r:httpd_t:s0
>tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>type=AVC msg=audit(1398804336.498:232532): avc: denied { getattr } for
>pid=9160 comm="httpd" path="/home/test" dev=dm-0 ino=663252
>scontext=unconfined_u:system_r:httpd_t:s0
>tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>
>
>
>Mark Tinberg, System Administrator
>Division of Information Technology - Network Services
>University of Wisconsin - Madison
>
>




Archive powered by MHonArc 2.6.16.

Top of Page