Discussion:
icmp Operation not permitted message on ping
(too old to reply)
don fisher
2012-02-09 21:20:05 UTC
Permalink
Sorry to be back again. My mail and browser work, and I can ping as
root. When I try to ping as a user I get:

ping: icmp open socket: Operation not permitted

There is probably a group that I need to add to my profile, but it was
not obvious to me. Suggestions welcome. Is there a way to add groups to
my account without using system-config-users?

Where are these things documented?

Thanks,
Don
Kevin Martin
2012-02-10 15:17:34 UTC
Permalink
Post by don fisher
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it was not obvious to me. Suggestions welcome. Is there a way to
add groups to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Don, what are the permissions on /bin/ping (ls -al /bin/ping)? Mine are set to 755 (-rwxr-xr-x) and ping works for me as non-root.

Kevin
don fisher
2012-02-10 12:48:01 UTC
Permalink
Post by Kevin Martin
Post by don fisher
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it was not obvious to me. Suggestions welcome. Is there a way to
add groups to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Don, what are the permissions on /bin/ping (ls -al /bin/ping)? Mine are set to 755 (-rwxr-xr-x) and ping works for me as non-root.
Kevin
My protections are the same as yours. As I read the error message, I
think that the problem is not being able to open the socket.

ping: icmp open socket: Operation not permitted

Thanks,
don
don fisher
2012-02-10 13:08:06 UTC
Permalink
Post by Kevin Martin
Post by don fisher
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it was not obvious to me. Suggestions welcome. Is there a way to
add groups to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Don, what are the permissions on /bin/ping (ls -al /bin/ping)? Mine are set to 755 (-rwxr-xr-x) and ping works for me as non-root.
Kevin
Yesterday I built a new system on another disk that allows ping to work
as expected. My system crashed once,o a few thing must have been
"disturbed". I was trying to figure out how t repair it.

Thanks
Don
--
-----------------------------------------------------------------
| Don Fisher hdf3 at comcast.net |
| 865 W. Cresta Loma Dr. VOICE: (520)888-7613 |
| Tucson, AZ. 85704-3705 |

-----------------------------------------------------------------
Rick Stevens
2012-02-10 18:15:05 UTC
Permalink
Post by don fisher
Post by don fisher
Sorry to be back again. My mail and browser work, and I can ping as
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it
was not obvious to me. Suggestions welcome. Is there a way to
add groups to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Don, what are the permissions on /bin/ping (ls -al /bin/ping)? Mine
are set to 755 (-rwxr-xr-x) and ping works for me as non-root.
Kevin
Yesterday I built a new system on another disk that allows ping to work
as expected. My system crashed once,o a few thing must have been
"disturbed". I was trying to figure out how t repair it.
Smells like an selinux thing. Check your logs to see if you're getting
AVC denials. If so, you may need to relabel.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- If at first you don't succeed, quit. No sense being a damned fool! -
----------------------------------------------------------------------
don fisher
2012-02-10 14:10:14 UTC
Permalink
Post by don fisher
Post by don fisher
Sorry to be back again. My mail and browser work, and I can ping as
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it
was not obvious to me. Suggestions welcome. Is there a way to
add groups to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Don, what are the permissions on /bin/ping (ls -al /bin/ping)? Mine
are set to 755 (-rwxr-xr-x) and ping works for me as non-root.
Kevin
Yesterday I built a new system on another disk that allows ping to work
as expected. My system crashed once,o a few thing must have been
"disturbed". I was trying to figure out how t repair it.
Smells like an selinux thing. Check your logs to see if you're getting
AVC denials. If so, you may need to relabel.
Rick,
Where are the seliunx messages logged? I looked in /var/log/secure and
the only thing I saw was a notice of when I used sudo to test ping. What
would I need to relabel? I am a dunce on security issues.

Thanks
don
Kevin Martin
2012-02-10 19:19:19 UTC
Permalink
Post by don fisher
Post by don fisher
Sorry to be back again. My mail and browser work, and I can ping as
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it
was not obvious to me. Suggestions welcome. Is there a way to
add groups to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Don, what are the permissions on /bin/ping (ls -al /bin/ping)? Mine
are set to 755 (-rwxr-xr-x) and ping works for me as non-root.
Kevin
Yesterday I built a new system on another disk that allows ping to work
as expected. My system crashed once,o a few thing must have been
"disturbed". I was trying to figure out how t repair it.
Smells like an selinux thing. Check your logs to see if you're getting
AVC denials. If so, you may need to relabel.
Rick,
Where are the seliunx messages logged? I looked in /var/log/secure and the only thing I saw was a notice of when I used sudo to
test ping. What would I need to relabel? I am a dunce on security issues.
Thanks
don
if you've got strace installed you could strace the execution of the ping command and that should show you when it fails and why as
well.

Kevin
Rick Stevens
2012-02-10 20:07:59 UTC
Permalink
This post might be inappropriate. Click to display it.
don fisher
2012-02-10 15:13:39 UTC
Permalink
Post by don fisher
Post by don fisher
Post by don fisher
Sorry to be back again. My mail and browser work, and I can ping as
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it
was not obvious to me. Suggestions welcome. Is there a way to
add groups to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Don, what are the permissions on /bin/ping (ls -al /bin/ping)? Mine
are set to 755 (-rwxr-xr-x) and ping works for me as non-root.
Kevin
Yesterday I built a new system on another disk that allows ping to work
as expected. My system crashed once,o a few thing must have been
"disturbed". I was trying to figure out how t repair it.
Smells like an selinux thing. Check your logs to see if you're getting
AVC denials. If so, you may need to relabel.
Rick,
Where are the seliunx messages logged? I looked in /var/log/secure
and the only thing I saw was a notice of when I used sudo to
test ping. What would I need to relabel? I am a dunce on security issues.
They'd be in /var/log/messages if that's what's happening. You can
"touch /.autorelabel" to force a full autorelabel on reboot. That can
take some time.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- We are born naked, wet and hungry. Then things get worse. -
----------------------------------------------------------------------
Thanks. I tried that as you had mentioned it yesterday. I tried a new
version 3.2.3-2 of the kernel, but it will not handle my radeon chip
set. Still at 3.1.9-1. All I touch appears broken:-(

Don
Daniel J Walsh
2012-02-13 14:27:15 UTC
Permalink
Post by don fisher
Post by don fisher
Post by Kevin Martin
Post by don fisher
Sorry to be back again. My mail and browser work, and
I can ping as root. When I try to ping as a user I
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my
profile, but it was not obvious to me. Suggestions
welcome. Is there a way to add groups to my account
without using system-config-users?
Where are these things documented?
Thanks, Don
Don, what are the permissions on /bin/ping (ls -al
/bin/ping)? Mine are set to 755 (-rwxr-xr-x) and ping
works for me as non-root.
Kevin
Yesterday I built a new system on another disk that
allows ping to work as expected. My system crashed once,o
a few thing must have been "disturbed". I was trying to
figure out how t repair it.
Smells like an selinux thing. Check your logs to see if
you're getting AVC denials. If so, you may need to
relabel.
Rick, Where are the seliunx messages logged? I looked in
/var/log/secure and the only thing I saw was a notice of when
I used sudo to test ping. What would I need to relabel? I am
a dunce on security issues.
They'd be in /var/log/messages if that's what's happening. You
can "touch /.autorelabel" to force a full autorelabel on reboot.
That can take some time.
----------------------------------------------------------------------
- - Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
Post by don fisher
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - We are
born naked, wet and hungry. Then things get worse. -
----------------------------------------------------------------------
Thanks. I tried that as you had mentioned it yesterday. I tried a new
Post by don fisher
version 3.2.3-2 of the kernel, but it will not handle my radeon
chip set. Still at 3.1.9-1. All I touch appears broken:-(
Don
I doubt this is SELinux related. If ping works as root and does not
as non root, I would suspect this has to do with capabilities.

getcap /bin/ping
/bin/ping = cap_net_raw+ep

ls -l /bin/ping
- -rwxr-xr-x. 1 root root 40840 Nov 10 04:32 /bin/ping


Ping needs the cap_net_raw capability to work, meaning it is allowed
to send raw packets on the network. Either it needs to be setuid or
use file capabilities.

Joe Zeff
2012-02-10 19:36:17 UTC
Permalink
Post by don fisher
Rick,
Where are the seliunx messages logged? I looked in /var/log/secure and
the only thing I saw was a notice of when I used sudo to test ping. What
would I need to relabel? I am a dunce on security issues.
Generally, the SELinux Troubleshooter should pop up, show you the error
message and give you instructions on how to correct the problem. If it
hasn't, you can find it on the System Menu and run it that way if you
want to be sure.
Scott Doty
2012-02-10 20:46:22 UTC
Permalink
Post by don fisher
Sorry to be back again. My mail and browser work, and I can ping as
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it was
not obvious to me. Suggestions welcome. Is there a way to add groups
to my account without using system-config-users?
Where are these things documented?
Thanks,
Don
Check your capabilities for /bin/ping:

Here I have:

_[/home/scott]_(scott at eva)_
$ getcap /bin/ping
/bin/ping = cap_net_raw+ep

-Scott
Kevin Fenzi
2012-02-10 20:47:09 UTC
Permalink
On Thu, 09 Feb 2012 14:20:05 -0700
Post by don fisher
Sorry to be back again. My mail and browser work, and I can ping as
ping: icmp open socket: Operation not permitted
There is probably a group that I need to add to my profile, but it
was not obvious to me. Suggestions welcome. Is there a way to add
groups to my account without using system-config-users?
There's no special ping group...

what does 'rpm -V iputils' show? I bet you lost somehow the capability
bits set on ping.

% getcap /bin/ping
/bin/ping = cap_net_raw+ep

if rpm -V iputils shows ping is wrong, do a 'yum reinstall iputils'

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120210/df1b9e01/attachment.sig>
don fisher
2012-02-10 16:08:26 UTC
Permalink
Post by Kevin Fenzi
yum reinstall iputils
My getcap /bin/ping showed nothing. I reinstalled iputils as suggested
and now I get the correct response from getcap AND ping works:-) How do
you think it could have become broken?

Thanks again,
Don
Kevin Fenzi
2012-02-10 21:18:10 UTC
Permalink
On Fri, 10 Feb 2012 09:08:26 -0700
Post by don fisher
Post by Kevin Fenzi
yum reinstall iputils
My getcap /bin/ping showed nothing. I reinstalled iputils as
suggested and now I get the correct response from getcap AND ping
works:-) How do you think it could have become broken?
No idea. If you copied or did an install to some filesystem that didn't
do capabilities I guess, but that seems unlikely. ;(

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120210/12073318/attachment-0001.sig>
Continue reading on narkive:
Loading...