On Mon, 2013-08-05 at 12:47 -0400, m.roth@xxxxxxxxx wrote: > Dominick Grift wrote: > > On Mon, 2013-08-05 at 11:16 -0400, m.roth@xxxxxxxxx wrote: > >> We've got a service (motion) that has an NFS-mounted home directory. In > >> that directory is ./bin, and some executables. Is there a boolean to > >> allow > >> that to be executed, or do I have to add a policy to allow that on every > >> system that is running the service? > >> > >> Btw, the system it just showed up on is a newly updated FC19. > >> > >> mark > > > > Show us avc denials please > > First, here's getsebool -a | grep -i nfs > > cobbler_use_nfs --> off > ftpd_use_nfs --> off > git_cgi_use_nfs --> off > git_system_use_nfs --> off > httpd_use_nfs --> on > ksmtuned_use_nfs --> off > mpd_use_nfs --> off > nfs_export_all_ro --> on > nfs_export_all_rw --> on > nfsd_anon_write --> off > polipo_use_nfs --> off > samba_share_nfs --> off > sanlock_use_nfs --> off > sge_use_nfs --> off > use_nfs_home_dirs --> on > virt_use_nfs --> off > xen_use_nfs --> off > > I've got several - here's three: > > type=AVC msg=audit(1375711978.360:34383): avc: denied { read } for > pid=32095 comm="mplayer" name="2013-08-05" dev="0:38" ino=29229135 > scontext=system_u:system_r:zoneminder_t:s0 > tcontext=system_u:object_r:nfs_t:s0 tclass=dir > Where exactly is this directory "2013-08-05"? You might be able to find it with the find command: find / -inum 29229135 But yes you would need to add rules to conditionally allow this in theory (create a boolean zoneminder_use_nfs) > This one is even more fun: it doesn't think bash should be allowed to > execute mplayer (if I've got the sealert and the audit.log entry matched > up....) > > type=AVC msg=audit(1375711977.280:34380): avc: denied { execute } for > pid=32095 comm="mplayer" path="/usr/bin/mplayer" dev="sda3" ino=793612 > scontext=system_u:system_r:zoneminder_t:s0 > tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file > That one looks strange because it seems that mplayer executes itself. In theory you can use audit2allow to allow this. > Is this what you needed? > > mark > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux