Executables in a home directory

Miroslav Grepl mgrepl at redhat.com
Tue Sep 3 08:50:10 UTC 2013 

On 08/05/2013 06:57 PM, Dominick Grift wrote:
> On Mon, 2013-08-05 at 12:47 -0400, m.roth at 5-cent.us wrote:
>> Dominick Grift wrote:
>>> On Mon, 2013-08-05 at 11:16 -0400, m.roth at 5-cent.us wrote:
>>>> We've got a service (motion) that has an NFS-mounted home directory. In
>>>> that directory is ./bin, and some executables. Is there a boolean to
>>>> allow
>>>> that to be executed, or do I have to add a policy to allow that on every
>>>> system that is running the service?
>>>>
>>>> Btw, the system it just showed up on is a newly updated FC19.
>>>>
>>>>        mark
>>> Show us avc denials please
>> First, here's getsebool -a | grep -i nfs
>>
>> cobbler_use_nfs --> off
>> ftpd_use_nfs --> off
>> git_cgi_use_nfs --> off
>> git_system_use_nfs --> off
>> httpd_use_nfs --> on
>> ksmtuned_use_nfs --> off
>> mpd_use_nfs --> off
>> nfs_export_all_ro --> on
>> nfs_export_all_rw --> on
>> nfsd_anon_write --> off
>> polipo_use_nfs --> off
>> samba_share_nfs --> off
>> sanlock_use_nfs --> off
>> sge_use_nfs --> off
>> use_nfs_home_dirs --> on
>> virt_use_nfs --> off
>> xen_use_nfs --> off
>>
>> I've got several - here's three:
>>
>> type=AVC msg=audit(1375711978.360:34383): avc:  denied  { read } for
>> pid=32095 comm="mplayer" name="2013-08-05" dev="0:38" ino=29229135
>> scontext=system_u:system_r:zoneminder_t:s0
>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>
> Where exactly is this directory "2013-08-05"?
>
> You might be able to find it with the find command: find / -inum
> 29229135
>
> But yes you would need to add rules to conditionally allow this in
> theory (create a boolean zoneminder_use_nfs)
>
>> This one is even more fun: it doesn't think bash should be allowed to
>> execute mplayer (if I've got the sealert and the audit.log entry matched
>> up....)
>>
>> type=AVC msg=audit(1375711977.280:34380): avc:  denied  { execute } for
>> pid=32095 comm="mplayer" path="/usr/bin/mplayer" dev="sda3" ino=793612
>> scontext=system_u:system_r:zoneminder_t:s0
>> tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file
>>
> That one looks strange because it seems that mplayer executes itself. In
> theory you can use audit2allow to allow this.
>
>> Is this what you needed?
>>
>>          mark
>>
>>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Also probably bug with "motion" labelng.

More information about the selinux mailing list