Back to FC 19 AVCs
Daniel J Walsh
dwalsh at redhat.com
Thu Aug 15 13:16:40 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/14/2013 03:20 PM, m.roth at 5-cent.us wrote:
> m.roth at 5-cent.us wrote:
>> I did a full relabel of the system.
>>
>> getsebool reports use_nfs_home_dirs --> on
>>
>> The dated subdirectory is in motion's home directory, owned by motion,
>> and NFS mounted.
>
> Sorry, following myself up, after I thought better of it: it's a user
> running mplayer as root (my manager). The ownership of the dated directory
> is motion:halevt.
>
> Do I need to change the group, or add root to the group, to allow it to
> view without AVCs (even if it is in permissive)?
>
>>
>> And yet I get this from sealert:
>>
>> SELinux is preventing /usr/bin/mplayer from read access on the directory
>> 2013-08-14.
>>
>> ***** Plugin catchall (100. confidence) suggests
>> ***************************
>>
>> If you believe that mplayer should be allowed read access on the
>> 2013-08-14 directory by default. Then you should report this as a bug.
>> You can generate a local policy module to allow this access. Do allow
>> this access for now by executing: # grep mplayer /var/log/audit/audit.log
>> | audit2allow -M mypol # semodule -i mypol.pp
>>
>>
>> Additional Information: Source Context
>> system_u:system_r:zoneminder_t:s0 Target Context
>> system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir
>> ] Source mplayer Source Path
>> /usr/bin/mplayer Port <Unknown> <snip> Platform
>> Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013
>> x86_64 x86_64 Alert Count 62 First Seen
>> 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34
>> EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
>>
>> Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied
>> { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38"
>> ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>
>> type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for
>> pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14"
>> dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>
>> type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat
>> success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0
>> items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer
>> exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
>>
>> Hash: mplayer,zoneminder_t,nfs_t,dir,read
>>
>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Does zoneminder normaly read users home dirs?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIM1LgACgkQrlYvE4MpobPAYACg0UH43wgPCqITwPPpmWNlZP0W
Aw8Anj+m0zwsGcahMA8mq7OKesFMbqWv
=lYD9
-----END PGP SIGNATURE-----
More information about the selinux
mailing list