Daniel J Walsh wrote:
> On 08/14/2013 03:20 PM, m.roth@xxxxxxxxx wrote:
>> m.roth@xxxxxxxxx wrote:
>>> I did a full relabel of the system.
>>>
>>> getsebool reports use_nfs_home_dirs --> on
>>>
>>> The dated subdirectory is in motion's home directory, owned by motion,
>>> and NFS mounted.
>>
>> Sorry, following myself up, after I thought better of it: it's a user
>> running mplayer as root (my manager). The ownership of the dated
>> directory
>> is motion:halevt.
>>
>> Do I need to change the group, or add root to the group, to allow it to
>> view without AVCs (even if it is in permissive)?
>>>
>>> And yet I get this from sealert:
>>>
>>> SELinux is preventing /usr/bin/mplayer from read access on the
>>> directory
>>> 2013-08-14.
>>>
>>> ***** Plugin catchall (100. confidence) suggests
>>> ***************************
>>>
>>> If you believe that mplayer should be allowed read access on the
>>> 2013-08-14 directory by default. Then you should report this as a bug.
>>> You can generate a local policy module to allow this access. Do allow
>>> this access for now by executing: # grep mplayer
>>> /var/log/audit/audit.log
>>> | audit2allow -M mypol # semodule -i mypol.pp
>>>
>>> Additional Information: Source Context
>>> system_u:system_r:zoneminder_t:s0 Target Context
>>> system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [
>>> dir
>>> ] Source mplayer Source Path
>>> /usr/bin/mplayer Port <Unknown> <snip>
>>> Platform
>>> Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013
>>> x86_64 x86_64 Alert Count 62 First Seen
>>> 2013-01-02 11:26:28 EST Last Seen 2013-08-14
>>> 14:09:34
>>> EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
>>>
>>> Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc:
>>> denied
>>> { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38"
>>> ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
>>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>>
>>> type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for
>>> pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14"
>>> dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
>>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>>>
>>> type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64
>>> syscall=openat
>>> success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800
>>> a3=0
>>> items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer
>>> exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
>>>
>>> Hash: mplayer,zoneminder_t,nfs_t,dir,read
>>
> Does zoneminder normaly read users home dirs?
Now that I've had a chance to think about that, and to google what
zoneminder *is*, the answer is "huh?". We don't have zoneminder installed.
For the security cameras, we use the std. package motion. My manager
usually has mplayer reading the raw feed from the cameras, while motion
saves an hourly jpg, and videos of motion in their view. All the jpgs and
videos are saved to /home/motion/<whatever><dated directory>, and
/home/motion is NFS-mounted.
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
