Back to FC 19 AVCs

m.roth at 5-cent.us m.roth at 5-cent.us
Wed Aug 14 19:20:14 UTC 2013 

m.roth at 5-cent.us wrote:
> I did a full relabel of the system.
>
> getsebool reports
> use_nfs_home_dirs --> on
>
> The dated subdirectory is in motion's home directory, owned by motion, and
> NFS mounted.

Sorry, following myself up, after I thought better of it: it's a user
running mplayer as root (my manager). The ownership of the dated directory
is motion:halevt.

Do I need to change the group, or add root to the group, to allow it to
view without AVCs (even if it is in permissive)?

>
> And yet I get this from sealert:
>
> SELinux is preventing /usr/bin/mplayer from read access on the directory
> 2013-08-14.
>
> *****  Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that mplayer should be allowed read access on the
> 2013-08-14 directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context                system_u:system_r:zoneminder_t:s0
> Target Context                system_u:object_r:nfs_t:s0
> Target Objects                2013-08-14 [ dir ]
> Source                        mplayer
> Source Path                   /usr/bin/mplayer
> Port                          <Unknown>
> <snip>
> Platform                      Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue
> Jul
>                               30 11:29:05 UTC 2013 x86_64 x86_64
> Alert Count                   62
> First Seen                    2013-01-02 11:26:28 EST
> Last Seen                     2013-08-14 14:09:34 EDT
> Local ID                      a01e1306-2704-45c0-813d-9bffa97c7bd1
>
> Raw Audit Messages
> type=AVC msg=audit(1376503774.334:31452): avc:  denied  { read } for
> pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148
> scontext=system_u:system_r:zoneminder_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>
> type=AVC msg=audit(1376503774.334:31452): avc:  denied  { open } for
> pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38"
> ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>
> type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat
> success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0
> items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer
> exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
>
> Hash: mplayer,zoneminder_t,nfs_t,dir,read
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list