SELinux and ICMP permissions

If you have SELinux enabled on your Horizon server, you must also configure a policy that allows Horizon to bind to the ICMP service.

The steps in this section apply specifically to CentOS 8.

To verify that you have SELinux running and enabled, use the sestatus console command. If it is enabled, the output should be similar to the following example:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Use audit2allow -a to check if Horizon violates SELinux policies.

If the audit2allow command is missing, run dnf install policycoreutils-devel to install the package.

Look for entries that prevent the binding of ICMP sockets:

#============= unconfined_service_t ==============
allow unconfined_service_t node_t:icmp_socket node_bind;

============= unconfined_service_t ==============
allow unconfined_service_t port_t:icmp_socket name_bind;

Create a type enforcement file (for example, JniPing.te):

module JniPing 1.0;

require {
        type unconfined_service_t;
        type node_t;
        type port_t;
        class icmp_socket { name_bind node_bind };
}

#============= unconfined_service_t ==============
allow unconfined_service_t node_t:icmp_socket node_bind;
allow unconfined_service_t port_t:icmp_socket name_bind;

Create a SElinux module and compile it:

checkmodule -M -m -o JniPing.mod JniPing.te
semodule_package -o JniPing.pp -m JniPing.mod

Install the SELinux package and enforce it:

semodule -i JniPing.pp
getenforce

You can verify the package with the following command:

semodule --list-modules | grep JniPing

Note that this command is based on the audit2allow command on a CentOS 8 system.