Back to FC 19 AVCs

Daniel J Walsh dwalsh at redhat.com
Thu Aug 15 13:16:40 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/14/2013 03:20 PM, m.roth at 5-cent.us wrote:
> m.roth at 5-cent.us wrote:
>> I did a full relabel of the system.
>> 
>> getsebool reports use_nfs_home_dirs --> on
>> 
>> The dated subdirectory is in motion's home directory, owned by motion,
>> and NFS mounted.
> 
> Sorry, following myself up, after I thought better of it: it's a user 
> running mplayer as root (my manager). The ownership of the dated directory 
> is motion:halevt.
> 
> Do I need to change the group, or add root to the group, to allow it to 
> view without AVCs (even if it is in permissive)?
> 
>> 
>> And yet I get this from sealert:
>> 
>> SELinux is preventing /usr/bin/mplayer from read access on the directory 
>> 2013-08-14.
>> 
>> *****  Plugin catchall (100. confidence) suggests 
>> ***************************
>> 
>> If you believe that mplayer should be allowed read access on the 
>> 2013-08-14 directory by default. Then you should report this as a bug. 
>> You can generate a local policy module to allow this access. Do allow
>> this access for now by executing: # grep mplayer /var/log/audit/audit.log
>> | audit2allow -M mypol # semodule -i mypol.pp
>> 
>> 
>> Additional Information: Source Context
>> system_u:system_r:zoneminder_t:s0 Target Context
>> system_u:object_r:nfs_t:s0 Target Objects                2013-08-14 [ dir
>> ] Source                        mplayer Source Path
>> /usr/bin/mplayer Port                          <Unknown> <snip> Platform
>> Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013
>> x86_64 x86_64 Alert Count                   62 First Seen
>> 2013-01-02 11:26:28 EST Last Seen                     2013-08-14 14:09:34
>> EDT Local ID                      a01e1306-2704-45c0-813d-9bffa97c7bd1
>> 
>> Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc:  denied
>> { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38"
>> ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 
>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>> 
>> type=AVC msg=audit(1376503774.334:31452): avc:  denied  { open } for 
>> pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14"
>> dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 
>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>> 
>> type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat 
>> success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 
>> items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
>> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer 
>> exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
>> 
>> Hash: mplayer,zoneminder_t,nfs_t,dir,read
>> 
>> 
>> -- selinux mailing list selinux at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Does zoneminder normaly read users home dirs?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIM1LgACgkQrlYvE4MpobPAYACg0UH43wgPCqITwPPpmWNlZP0W
Aw8Anj+m0zwsGcahMA8mq7OKesFMbqWv
=lYD9
-----END PGP SIGNATURE-----

More information about the selinux mailing list