Back to FC 19 AVCs

Tristan Santore tristan.santore at internexusconnect.net
Thu Aug 15 13:23:22 UTC 2013 

On 15/08/13 14:16, Daniel J Walsh wrote:
> On 08/14/2013 03:20 PM, m.roth at 5-cent.us wrote:
>> m.roth at 5-cent.us wrote:
>>> I did a full relabel of the system.
>>> 
>>> getsebool reports use_nfs_home_dirs --> on
>>> 
>>> The dated subdirectory is in motion's home directory, owned by 
>>> motion, and NFS mounted.
> 
>> Sorry, following myself up, after I thought better of it: it's a 
>> user running mplayer as root (my manager). The ownership of the 
>> dated directory is motion:halevt.
> 
>> Do I need to change the group, or add root to the group, to
>> allow it to view without AVCs (even if it is in permissive)?
> 
>>> 
>>> And yet I get this from sealert:
>>> 
>>> SELinux is preventing /usr/bin/mplayer from read access on the 
>>> directory 2013-08-14.
>>> 
>>> *****  Plugin catchall (100. confidence) suggests 
>>> ***************************
>>> 
>>> If you believe that mplayer should be allowed read access on 
>>> the 2013-08-14 directory by default. Then you should report 
>>> this as a bug. You can generate a local policy module to allow 
>>> this access. Do allow this access for now by executing: # grep 
>>> mplayer /var/log/audit/audit.log | audit2allow -M mypol # 
>>> semodule -i mypol.pp
>>> 
>>> 
>>> Additional Information: Source Context 
>>> system_u:system_r:zoneminder_t:s0 Target Context 
>>> system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ]
>>> Source                        mplayer Source Path
>>> /usr/bin/mplayer Port                          <Unknown> <snip>
>>> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30
>>> 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen
>>> 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local
>>> ID a01e1306-2704-45c0-813d-9bffa97c7bd1
>>> 
>>> Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): 
>>> avc:  denied { read } for pid=17414 comm="mplayer" 
>>> name="2013-08-14" dev="0:38" ino=29229148 
>>> scontext=system_u:system_r:zoneminder_t:s0 
>>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>> 
>>> type=AVC msg=audit(1376503774.334:31452): avc:  denied  { open 
>>> } for pid=17414 comm="mplayer" 
>>> path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 
>>> scontext=system_u:system_r:zoneminder_t:s0 
>>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>> 
>>> type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 
>>> syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c 
>>> a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 
>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer 
>>> exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 
>>> key=(null)
>>> 
>>> Hash: mplayer,zoneminder_t,nfs_t,dir,read
>>> 
>>> 
>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
>> -- selinux mailing list selinux at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> Does zoneminder normaly read users home dirs?
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Categorically not! If motion needs such a weird policy, then Motion
should have its own one.

Zoneminder still needs some very minor fixes and maybe some optional
booleans, to make the policy better and more secure, but otherwise is
fine.

I will submit some more fixes and patches soon.

Regards,

Tristan

-- 

Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org

More information about the selinux mailing list