On 21/05/13 14:58, m.roth@xxxxxxxxx wrote:
Tristan Santore wrote:
Dear All,
For the last few days Dominick and I have been trying to write a policy
for Zoneminder, as the current policy does not seem to be working.
I will append what we gathered up so far below, however before I do,
there seems to be an inherent problem with apache and sudo/su/pam, which
seems to work in permissive mode, but as soon as I enable enforcing,
b00m, I get these.
May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
password for [apache]
May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
1000" not met by user "apache"
May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
password for [apache]
May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
1000" not met by user "apache"
<snip>
I'm nowhere near that good with selinux, but
a) the apache or httpd user normally has a GID under 1000 - that's the way
it's installed. It is a system daemon.
b) looks like something with apache wants a password. Is this a
self-signed secure site that you gave it a password when you created the
cert, so that it needs one to start up?
mark
I think it has more to do with the fact it is looking for a file or
something with information in, probably relating to sudo/pam.
And because there is some protection in selinux somewhere, maybe even in
Apache itself (although unlikely as it works in permissive mode), it
gets stuck, and we are not seeing any useful denials .
Zoneminder has a web front-end, some binaries, and they need to access
/dev/video nodes. So that appears to be the reason why it uses sudo as
some kind of protection. But I have not looked into it too much.
There are quite a few scripts, some binaries. Bit of a jumble yard.
With regards to certs....no certs.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux