Back to FC 19 AVCs

m.roth at 5-cent.us m.roth at 5-cent.us
Wed Aug 14 19:15:43 UTC 2013 

I did a full relabel of the system.

getsebool reports
use_nfs_home_dirs --> on

The dated subdirectory is in motion's home directory, owned by motion, and
NFS mounted.

And yet I get this from sealert:

SELinux is preventing /usr/bin/mplayer from read access on the directory
2013-08-14.

*****  Plugin catchall (100. confidence) suggests 
***************************

If you believe that mplayer should be allowed read access on the
2013-08-14 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mplayer /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:zoneminder_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                2013-08-14 [ dir ]
Source                        mplayer
Source Path                   /usr/bin/mplayer
Port                          <Unknown>
<snip>
Platform                      Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue
Jul
                              30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count                   62
First Seen                    2013-01-02 11:26:28 EST
Last Seen                     2013-08-14 14:09:34 EDT
Local ID                      a01e1306-2704-45c0-813d-9bffa97c7bd1

Raw Audit Messages
type=AVC msg=audit(1376503774.334:31452): avc:  denied  { read } for 
pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148
scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir

type=AVC msg=audit(1376503774.334:31452): avc:  denied  { open } for 
pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38"
ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir

type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat
success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0
items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer
exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)

Hash: mplayer,zoneminder_t,nfs_t,dir,read

More information about the selinux mailing list