Bug 1091681
Summary: | SELinux is preventing /usr/bin/motion from 'accept' accesses on the tcp_socket . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | zimon <zimon> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:42e31700fe162cf46b6c4f15271894407c836559823a5566167dc817aa55d053 | ||
Fixed In Version: | selinux-policy-3.12.1-163.fc20 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-05-21 23:30:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
zimon
2014-04-27 09:02:40 UTC
That part above from /etc/motion/motion.conf: " # Note! Also SElinux must be configured: # semanage port -a -t transproxy_port_t -p tcp 8082 " ...was something I've written there for myself to remember. And the SELinux Audit Messages come when is tried to connect to localhost:8081 (streaming) or localhost:8082 (controlling), and if those were configured in motion.conf The port 8081 comes from this in motion.conf: " ############################################################ # Live Stream Server ############################################################ # The mini-http server listens to this port for requests (default: 0 = disabled) # stream_port 8081 " commit da4de1d2aa818fb7fbd6fed97b3d2da3e4d3f44d Author: Miroslav Grepl <mgrepl> Date: Mon Apr 28 09:47:41 2014 +0200 Add support for us_cli ports commit 2ec9a99cb2b50bb1cabd74bfdefe974e73cd9cea Author: Miroslav Grepl <mgrepl> Date: Mon Apr 28 09:46:10 2014 +0200 ALlow motion to use tcp/8082 port selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20 Package selinux-policy-3.12.1-161.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20 then log in and leave karma (feedback). Did install that. Is there a policy to allow now motion to listen port 8082, or generally all ports over 1024? Or for example ports 8081 - 8100 ? I was not quite clear above about it. The SELinux alerts were about 8082, but same kind of issue is for 8081. So motion needs two TCP ports to listen if user wishes. Motion, by its default configuration, wants to use both port 8081 and 8082 (are also user configurable). Port 8081 is for streaming the same video which has gone through motion system, and port 8082 is for controlling. From /etc/motion/motion.conf: " # The mini-http server listens to this port for requests (default: 0 = disabled) stream_port 8081 # TCP/IP port for the http server to listen on (default: 0 = disabled) webcontrol_port 8082 " But I do not know if it is wise to dedicate ports 8081 and 8082 to motion in SELinux policy, because other programs may want to use those ports also. Maybe just would allow some range, like 8081 - 8100, and that would be also patched as a comment to default configuration file in motion rpm package for Fedora. Hi, We allowed motion to bind on ports 8081 and 8082. Thank you for your report. Package selinux-policy-3.12.1-163.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-163.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. I can confirm (little late, I forgot) it works now at least for me. Can get the passed through web cam image via port localhost:8081 and also can configure motion through port localhost:8082, with a web browser. And no SELinux warnings or errors anymore. |