I did a full relabel of the system.
getsebool reports use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion, and NFS mounted.
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the directory 2013-08-14.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that mplayer should be allowed read access on the 2013-08-14 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:zoneminder_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ] Source mplayer Source Path /usr/bin/mplayer Port <Unknown> <snip> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
m.roth@5-cent.us wrote:
I did a full relabel of the system.
getsebool reports use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion, and NFS mounted.
Sorry, following myself up, after I thought better of it: it's a user running mplayer as root (my manager). The ownership of the dated directory is motion:halevt.
Do I need to change the group, or add root to the group, to allow it to view without AVCs (even if it is in permissive)?
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the directory 2013-08-14.
***** Plugin catchall (100. confidence) suggests
If you believe that mplayer should be allowed read access on the 2013-08-14 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:zoneminder_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ] Source mplayer Source Path /usr/bin/mplayer Port <Unknown>
<snip> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/14/2013 03:20 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
I did a full relabel of the system.
getsebool reports use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion, and NFS mounted.
Sorry, following myself up, after I thought better of it: it's a user running mplayer as root (my manager). The ownership of the dated directory is motion:halevt.
Do I need to change the group, or add root to the group, to allow it to view without AVCs (even if it is in permissive)?
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the directory 2013-08-14.
***** Plugin catchall (100. confidence) suggests
If you believe that mplayer should be allowed read access on the 2013-08-14 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:zoneminder_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ] Source mplayer Source Path /usr/bin/mplayer Port <Unknown> <snip> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Does zoneminder normaly read users home dirs?
On 15/08/13 14:16, Daniel J Walsh wrote:
On 08/14/2013 03:20 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
I did a full relabel of the system.
getsebool reports use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion, and NFS mounted.
Sorry, following myself up, after I thought better of it: it's a user running mplayer as root (my manager). The ownership of the dated directory is motion:halevt.
Do I need to change the group, or add root to the group, to allow it to view without AVCs (even if it is in permissive)?
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the directory 2013-08-14.
***** Plugin catchall (100. confidence) suggests
If you believe that mplayer should be allowed read access on the 2013-08-14 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:zoneminder_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ] Source mplayer Source Path /usr/bin/mplayer Port <Unknown> <snip> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Does zoneminder normaly read users home dirs?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Categorically not! If motion needs such a weird policy, then Motion should have its own one.
Zoneminder still needs some very minor fixes and maybe some optional booleans, to make the policy better and more secure, but otherwise is fine.
I will submit some more fixes and patches soon.
Regards,
Tristan
Daniel J Walsh wrote:
On 08/14/2013 03:20 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
I did a full relabel of the system.
getsebool reports use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion, and NFS mounted.
Sorry, following myself up, after I thought better of it: it's a user running mplayer as root (my manager). The ownership of the dated directory is motion:halevt.
Do I need to change the group, or add root to the group, to allow it to view without AVCs (even if it is in permissive)?
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the directory 2013-08-14.
***** Plugin catchall (100. confidence) suggests
If you believe that mplayer should be allowed read access on the 2013-08-14 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:zoneminder_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ] Source mplayer Source Path /usr/bin/mplayer Port <Unknown> <snip> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
Does zoneminder normaly read users home dirs?
Now that I've had a chance to think about that, and to google what zoneminder *is*, the answer is "huh?". We don't have zoneminder installed. For the security cameras, we use the std. package motion. My manager usually has mplayer reading the raw feed from the cameras, while motion saves an hourly jpg, and videos of motion in their view. All the jpgs and videos are saved to /home/motion/<whatever><dated directory>, and /home/motion is NFS-mounted.
mark
On 08/15/2013 05:04 PM, m.roth@5-cent.us wrote:
Daniel J Walsh wrote:
On 08/14/2013 03:20 PM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
I did a full relabel of the system.
getsebool reports use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion, and NFS mounted.
Sorry, following myself up, after I thought better of it: it's a user running mplayer as root (my manager). The ownership of the dated directory is motion:halevt.
Do I need to change the group, or add root to the group, to allow it to view without AVCs (even if it is in permissive)?
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the directory 2013-08-14.
***** Plugin catchall (100. confidence) suggests
If you believe that mplayer should be allowed read access on the 2013-08-14 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:zoneminder_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ] Source mplayer Source Path /usr/bin/mplayer Port <Unknown> <snip> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
Does zoneminder normaly read users home dirs?
Now that I've had a chance to think about that, and to google what zoneminder *is*, the answer is "huh?". We don't have zoneminder installed. For the security cameras, we use the std. package motion. My manager usually has mplayer reading the raw feed from the cameras, while motion saves an hourly jpg, and videos of motion in their view. All the jpgs and videos are saved to /home/motion/<whatever><dated directory>, and /home/motion is NFS-mounted.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Mark, yes, there is a bug probably. Could you open a new one. Basically it is about "motion" labeling which looks wrong.
Lukas Vrabec will work on it.
selinux@lists.fedoraproject.org