Re: Executables in a home directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/05/2013 06:57 PM, Dominick Grift wrote:
On Mon, 2013-08-05 at 12:47 -0400, m.roth@xxxxxxxxx wrote:
Dominick Grift wrote:
On Mon, 2013-08-05 at 11:16 -0400, m.roth@xxxxxxxxx wrote:
We've got a service (motion) that has an NFS-mounted home directory. In
that directory is ./bin, and some executables. Is there a boolean to
allow
that to be executed, or do I have to add a policy to allow that on every
system that is running the service?

Btw, the system it just showed up on is a newly updated FC19.

       mark
Show us avc denials please
First, here's getsebool -a | grep -i nfs

cobbler_use_nfs --> off
ftpd_use_nfs --> off
git_cgi_use_nfs --> off
git_system_use_nfs --> off
httpd_use_nfs --> on
ksmtuned_use_nfs --> off
mpd_use_nfs --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_anon_write --> off
polipo_use_nfs --> off
samba_share_nfs --> off
sanlock_use_nfs --> off
sge_use_nfs --> off
use_nfs_home_dirs --> on
virt_use_nfs --> off
xen_use_nfs --> off

I've got several - here's three:

type=AVC msg=audit(1375711978.360:34383): avc:  denied  { read } for
pid=32095 comm="mplayer" name="2013-08-05" dev="0:38" ino=29229135
scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir

Where exactly is this directory "2013-08-05"?

You might be able to find it with the find command: find / -inum
29229135

But yes you would need to add rules to conditionally allow this in
theory (create a boolean zoneminder_use_nfs)

This one is even more fun: it doesn't think bash should be allowed to
execute mplayer (if I've got the sealert and the audit.log entry matched
up....)

type=AVC msg=audit(1375711977.280:34380): avc:  denied  { execute } for
pid=32095 comm="mplayer" path="/usr/bin/mplayer" dev="sda3" ino=793612
scontext=system_u:system_r:zoneminder_t:s0
tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file

That one looks strange because it seems that mplayer executes itself. In
theory you can use audit2allow to allow this.

Is this what you needed?

         mark



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Also probably bug with "motion" labelng.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux