Executables in a home directory

Dominick Grift dominick.grift at gmail.com
Mon Aug 5 16:57:38 UTC 2013 

On Mon, 2013-08-05 at 12:47 -0400, m.roth at 5-cent.us wrote:
> Dominick Grift wrote:
> > On Mon, 2013-08-05 at 11:16 -0400, m.roth at 5-cent.us wrote:
> >> We've got a service (motion) that has an NFS-mounted home directory. In
> >> that directory is ./bin, and some executables. Is there a boolean to
> >> allow
> >> that to be executed, or do I have to add a policy to allow that on every
> >> system that is running the service?
> >>
> >> Btw, the system it just showed up on is a newly updated FC19.
> >>
> >>       mark
> >
> > Show us avc denials please
> 
> First, here's getsebool -a | grep -i nfs
> 
> cobbler_use_nfs --> off
> ftpd_use_nfs --> off
> git_cgi_use_nfs --> off
> git_system_use_nfs --> off
> httpd_use_nfs --> on
> ksmtuned_use_nfs --> off
> mpd_use_nfs --> off
> nfs_export_all_ro --> on
> nfs_export_all_rw --> on
> nfsd_anon_write --> off
> polipo_use_nfs --> off
> samba_share_nfs --> off
> sanlock_use_nfs --> off
> sge_use_nfs --> off
> use_nfs_home_dirs --> on
> virt_use_nfs --> off
> xen_use_nfs --> off
> 
> I've got several - here's three:
> 
> type=AVC msg=audit(1375711978.360:34383): avc:  denied  { read } for 
> pid=32095 comm="mplayer" name="2013-08-05" dev="0:38" ino=29229135
> scontext=system_u:system_r:zoneminder_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
> 

Where exactly is this directory "2013-08-05"?

You might be able to find it with the find command: find / -inum
29229135

But yes you would need to add rules to conditionally allow this in
theory (create a boolean zoneminder_use_nfs)

> This one is even more fun: it doesn't think bash should be allowed to
> execute mplayer (if I've got the sealert and the audit.log entry matched
> up....)
> 
> type=AVC msg=audit(1375711977.280:34380): avc:  denied  { execute } for 
> pid=32095 comm="mplayer" path="/usr/bin/mplayer" dev="sda3" ino=793612
> scontext=system_u:system_r:zoneminder_t:s0
> tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file
> 

That one looks strange because it seems that mplayer executes itself. In
theory you can use audit2allow to allow this.

> Is this what you needed?
> 
>         mark
> 
>

More information about the selinux mailing list