Back to FC 19 AVCs

m.roth at 5-cent.us m.roth at 5-cent.us
Thu Aug 15 15:04:57 UTC 2013 

Daniel J Walsh wrote:
> On 08/14/2013 03:20 PM, m.roth at 5-cent.us wrote:
>> m.roth at 5-cent.us wrote:

>>> I did a full relabel of the system.
>>>
>>> getsebool reports use_nfs_home_dirs --> on
>>>
>>> The dated subdirectory is in motion's home directory, owned by motion,
>>> and NFS mounted.
>>
>> Sorry, following myself up, after I thought better of it: it's a user
>> running mplayer as root (my manager). The ownership of the dated
>> directory
>> is motion:halevt.
>>
>> Do I need to change the group, or add root to the group, to allow it to
>> view without AVCs (even if it is in permissive)?
>>>
>>> And yet I get this from sealert:
>>>
>>> SELinux is preventing /usr/bin/mplayer from read access on the
>>> directory
>>> 2013-08-14.
>>>
>>> *****  Plugin catchall (100. confidence) suggests
>>> ***************************
>>>
>>> If you believe that mplayer should be allowed read access on the
>>> 2013-08-14 directory by default. Then you should report this as a bug.
>>> You can generate a local policy module to allow this access. Do allow
>>> this access for now by executing: # grep mplayer
>>> /var/log/audit/audit.log
>>> | audit2allow -M mypol # semodule -i mypol.pp
>>>
>>> Additional Information: Source Context
>>> system_u:system_r:zoneminder_t:s0 Target Context
>>> system_u:object_r:nfs_t:s0 Target Objects                2013-08-14 [
>>> dir
>>> ] Source                        mplayer Source Path
>>> /usr/bin/mplayer Port                          <Unknown> <snip>
>>> Platform
>>> Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013
>>> x86_64 x86_64 Alert Count                   62 First Seen
>>> 2013-01-02 11:26:28 EST Last Seen                     2013-08-14
>>> 14:09:34
>>> EDT Local ID                      a01e1306-2704-45c0-813d-9bffa97c7bd1
>>>
>>> Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc:
>>> denied
>>> { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38"
>>> ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
>>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>>
>>> type=AVC msg=audit(1376503774.334:31452): avc:  denied  { open } for
>>> pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14"
>>> dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
>>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>>
>>> type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64
>>> syscall=openat
>>> success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800
>>> a3=0
>>> items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer
>>> exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
>>>
>>> Hash: mplayer,zoneminder_t,nfs_t,dir,read
>>
> Does zoneminder normaly read users home dirs?

Now that I've had a chance to think about that, and to google what
zoneminder *is*, the answer is "huh?". We don't have zoneminder installed.
For the security cameras, we use the std. package motion. My manager
usually has mplayer reading the raw feed from the cameras, while motion
saves an hourly jpg, and videos of motion in their view. All the jpgs and
videos are saved to /home/motion/<whatever><dated directory>, and
/home/motion is NFS-mounted.

     mark

More information about the selinux mailing list