On Mon, 2013-08-05 at 12:47 -0400, m.roth@5-cent.us wrote:
Dominick Grift wrote:
On Mon, 2013-08-05 at 11:16 -0400, m.roth@5-cent.us wrote:
We've got a service (motion) that has an NFS-mounted home directory. In that directory is ./bin, and some executables. Is there a boolean to allow that to be executed, or do I have to add a policy to allow that on every system that is running the service?
Btw, the system it just showed up on is a newly updated FC19.
mark
Show us avc denials please
First, here's getsebool -a | grep -i nfs
cobbler_use_nfs --> off ftpd_use_nfs --> off git_cgi_use_nfs --> off git_system_use_nfs --> off httpd_use_nfs --> on ksmtuned_use_nfs --> off mpd_use_nfs --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_anon_write --> off polipo_use_nfs --> off samba_share_nfs --> off sanlock_use_nfs --> off sge_use_nfs --> off use_nfs_home_dirs --> on virt_use_nfs --> off xen_use_nfs --> off
I've got several - here's three:
type=AVC msg=audit(1375711978.360:34383): avc: denied { read } for pid=32095 comm="mplayer" name="2013-08-05" dev="0:38" ino=29229135 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
Where exactly is this directory "2013-08-05"?
You might be able to find it with the find command: find / -inum 29229135
But yes you would need to add rules to conditionally allow this in theory (create a boolean zoneminder_use_nfs)
This one is even more fun: it doesn't think bash should be allowed to execute mplayer (if I've got the sealert and the audit.log entry matched up....)
type=AVC msg=audit(1375711977.280:34380): avc: denied { execute } for pid=32095 comm="mplayer" path="/usr/bin/mplayer" dev="sda3" ino=793612 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file
That one looks strange because it seems that mplayer executes itself. In theory you can use audit2allow to allow this.
Is this what you needed?
mark