Re: Executables in a home directory

[Miroslav Grepl <mgrepl@xxxxxxxxxx>]

On 09/03/2013 10:50 AM, Miroslav Grepl wrote:
> On 08/05/2013 06:57 PM, Dominick Grift wrote:
> > On Mon, 2013-08-05 at 12:47 -0400, m.roth@xxxxxxxxx wrote:
> > > Dominick Grift wrote:
> > > > On Mon, 2013-08-05 at 11:16 -0400, m.roth@xxxxxxxxx wrote:
> > > > > We've got a service (motion) that has an NFS-mounted home 
> > > > > directory. In
> > > > > that directory is ./bin, and some executables. Is there a boolean to
> > > > > allow
> > > > > that to be executed, or do I have to add a policy to allow that on 
> > > > > every
> > > > > system that is running the service?
> > > > >
> > > > > Btw, the system it just showed up on is a newly updated FC19.
> > > > >
> > > > >        mark
> > > > Show us avc denials please
> > > First, here's getsebool -a | grep -i nfs
> > >
> > > cobbler_use_nfs --> off
> > > ftpd_use_nfs --> off
> > > git_cgi_use_nfs --> off
> > > git_system_use_nfs --> off
> > > httpd_use_nfs --> on
> > > ksmtuned_use_nfs --> off
> > > mpd_use_nfs --> off
> > > nfs_export_all_ro --> on
> > > nfs_export_all_rw --> on
> > > nfsd_anon_write --> off
> > > polipo_use_nfs --> off
> > > samba_share_nfs --> off
> > > sanlock_use_nfs --> off
> > > sge_use_nfs --> off
> > > use_nfs_home_dirs --> on
> > > virt_use_nfs --> off
> > > xen_use_nfs --> off
> > >
> > > I've got several - here's three:
> > >
> > > type=AVC msg=audit(1375711978.360:34383): avc:  denied  { read } for
> > > pid=32095 comm="mplayer" name="2013-08-05" dev="0:38" ino=29229135
> > > scontext=system_u:system_r:zoneminder_t:s0
> > > tcontext=system_u:object_r:nfs_t:s0 tclass=dir
> > Where exactly is this directory "2013-08-05"?
> >
> > You might be able to find it with the find command: find / -inum
> > 29229135
> >
> > But yes you would need to add rules to conditionally allow this in
> > theory (create a boolean zoneminder_use_nfs)
> >
> > > This one is even more fun: it doesn't think bash should be allowed to
> > > execute mplayer (if I've got the sealert and the audit.log entry 
> > > matched
> > > up....)
> > >
> > > type=AVC msg=audit(1375711977.280:34380): avc:  denied  { execute } for
> > > pid=32095 comm="mplayer" path="/usr/bin/mplayer" dev="sda3" ino=793612
> > > scontext=system_u:system_r:zoneminder_t:s0
> > > tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file
> > That one looks strange because it seems that mplayer executes itself. In
> > theory you can use audit2allow to allow this.
> >
> > > Is this what you needed?
> > >
> > >          mark
> >
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> Also probably bug with "motion" labelng.
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I created a new bug for this issue.

https://bugzilla.redhat.com/show_bug.cgi?id=1005834

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux