On 08/15/2013 05:04 PM, m.roth@xxxxxxxxx wrote:
Daniel J Walsh wrote:
On 08/14/2013 03:20 PM, m.roth@xxxxxxxxx wrote:
m.roth@xxxxxxxxx wrote:
I did a full relabel of the system.
getsebool reports use_nfs_home_dirs --> on
The dated subdirectory is in motion's home directory, owned by motion,
and NFS mounted.
Sorry, following myself up, after I thought better of it: it's a user
running mplayer as root (my manager). The ownership of the dated
directory
is motion:halevt.
Do I need to change the group, or add root to the group, to allow it to
view without AVCs (even if it is in permissive)?
And yet I get this from sealert:
SELinux is preventing /usr/bin/mplayer from read access on the
directory
2013-08-14.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that mplayer should be allowed read access on the
2013-08-14 directory by default. Then you should report this as a bug.
You can generate a local policy module to allow this access. Do allow
this access for now by executing: # grep mplayer
/var/log/audit/audit.log
| audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context
system_u:system_r:zoneminder_t:s0 Target Context
system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [
dir
] Source mplayer Source Path
/usr/bin/mplayer Port <Unknown> <snip>
Platform
Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013
x86_64 x86_64 Alert Count 62 First Seen
2013-01-02 11:26:28 EST Last Seen 2013-08-14
14:09:34
EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1
Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc:
denied
{ read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38"
ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for
pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14"
dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64
syscall=openat
success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800
a3=0
items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer
exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null)
Hash: mplayer,zoneminder_t,nfs_t,dir,read
Does zoneminder normaly read users home dirs?
Now that I've had a chance to think about that, and to google what
zoneminder *is*, the answer is "huh?". We don't have zoneminder installed.
For the security cameras, we use the std. package motion. My manager
usually has mplayer reading the raw feed from the cameras, while motion
saves an hourly jpg, and videos of motion in their view. All the jpgs and
videos are saved to /home/motion/<whatever><dated directory>, and
/home/motion is NFS-mounted.
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Mark,
yes, there is a bug probably. Could you open a new one. Basically it is
about "motion" labeling which looks wrong.
Lukas Vrabec will work on it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux