Bug 2218103
| Summary: | zoneminder related blockings | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marek Greško <marek.gresko> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 38 | CC: | dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Marek,
I cannot find such a package in Fedora. Most of the permission seem to be meaningful, but should be addressed in a local policy.
This one does not feel right:
avc: denied { create } for pid=2015 comm="php-fpm" name="css_reset-base-1677188641.css" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file permissive=1
Hello, zoneminder is a part of rpmfusion-free repository. Fedora apparently is knowing of it, since file_contexts file contains /usr/bin/zmpkg.pl -- system_u:object_r:zoneminder_exec_t:s0. If it is not intent then the targeted policy should not touch the software and it should not be affected by it, but apparently is. Why? Thanks Marek |
Hello, I observe several zoneminder related blockings: avc: denied { read open } for pid=5367 comm="sh" path="/usr/bin/zmpkg.pl" dev="dm-1" ino=2363760 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:zoneminder_exec_t:s0 tclass=file permissive=1 avc: denied { ioctl } for pid=5367 comm="zmpkg.pl" path="/usr/bin/zmpkg.pl" dev="dm-1" ino=2363760 ioctlcmd=0x5401 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:zoneminder_exec_t:s0 tclass=file permissive=1 avc: denied { write } for pid=5398 comm="zmdc.pl" name="zmdc.sock" dev="sdc1" ino=2621442 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:zoneminder_var_lib_t:s0 tclass=sock_file permissive=1 avc: denied { connectto } for pid=5398 comm="zmdc.pl" path="/mnt/zm/sock/zmdc.sock" scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket permissive=1 avc: denied { create } for pid=2015 comm="php-fpm" name="css_reset-base-1677188641.css" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file permissive=1 avc: denied { sendto } for pid=23256 comm="nph-zms" path="/mnt/zm/sock/zms-589985w.sock" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_dgram_socket permissive=1 avc: denied { search } for pid=23256 comm="nph-zms" name="zoneminder" dev="dm-2" ino=131579 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1 avc: denied { write } for pid=23256 comm="nph-zms" name="zoneminder" dev="dm-2" ino=131579 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1 avc: denied { add_name } for pid=23256 comm="nph-zms" name="zms_e62717.log" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1 avc: denied { create } for pid=23256 comm="nph-zms" name="zms_e62717.log" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=file permissive=1 avc: denied { append open } for pid=23256 comm="nph-zms" path="/var/log/zoneminder/zms_e62717.log" dev="dm-2" ino=131629 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=file permissive=1 avc: denied { getattr } for pid=23256 comm="nph-zms" path="/var/log/zoneminder/zms_e62717.log" dev="dm-2" ino=131629 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=file permissive=1 avc: denied { sendto } for pid=23287 comm="nph-zms" path="/mnt/zm/sock/zms-832389w.sock" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_dgram_socket permissive=1 avc: denied { search } for pid=23287 comm="nph-zms" name="zoneminder" dev="dm-2" ino=131579 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1 avc: denied { sendto } for pid=23335 comm="nph-zms" path="/mnt/zm/sock/zms-469663w.sock" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_dgram_socket permissive=1 avc: denied { map } for pid=2018 comm="php-fpm" path="/mnt/zm/events/1/2023-06-27/62717/snapshot-48x27.jpg" dev="sdc1" ino=9975030 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zoneminder_var_lib_t:s0 tclass=file permissive=1 Thanks Marek Reproducible: Always