Bug 611016

Summary: SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.
Product: [Fedora] Fedora Reporter: Bart Kus <me>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: bosco01, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:15359d0620a6966a64a521ebb60915fc68e14fb0623a8ddbf6041347bdffa27c
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-21 17:05:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Audit log of zoneminder (and possibly other) SELinux events none

Description Bart Kus 2010-07-03 05:59:18 UTC 
Summary:

SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.  This happens in F13 after /etc/php.ini is modified to set short_open_tag = On so that zoneminder's /usr/share/zoneminder/www/includes/functions.php file does not report a php parse error.  The package does not work otherwise.

Detailed Description:

SELinux denied access requested by zmdc.pl. It is not expected that this access
is required by zmdc.pl and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:tmp_t:s0
Target Objects                zmdc.sock [ sock_file ]
Source                        zmdc.pl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.10.1-112.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.5-124.fc13.i686 #1 SMP
                              Fri Jun 11 09:48:40 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Fri 02 Jul 2010 10:48:15 PM PDT
Last Seen                     Fri 02 Jul 2010 10:53:15 PM PDT
Local ID                      af890b81-278b-4e76-83d8-f847169d3211
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1278136395.689:27417): avc:  denied  { write } for  pid=3118 comm="zmdc.pl" name="zmdc.sock" dev=dm-1 ino=82666 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file

node=(removed) type=SYSCALL msg=audit(1278136395.689:27417): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff46550 a2=da9d6c a3=93bf008 items=0 ppid=2920 pid=3118 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="zmdc.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  catchall,zmdc.pl,httpd_t,tmp_t,sock_file,write
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t tmp_t:sock_file write;
Comment 1 Miroslav Grepl 2010-07-04 21:34:58 UTC 
Bart,

all these your bugs are caused by zoneminder, which is running as initrc_t domain. It means zoneminder needs policy.

You can do the following steps as workaround

1. chcon -t httpd_sys_script_exec_t /usr/libexec/zoneminder/cgi-bin/* 
2. setenforce 0
3. run zoneminder
4. setenforce 1
5. add local policy using

grep avc /var/log/audit/audit.log | audit2allow -M myzoneminder
semodule -i myzoneminder.pp

Will fix for now and I will write zoneminder policy. Also please send me your compressed /var/log/audit/audit.log.

Thanks.
Comment 2 Miroslav Grepl 2010-07-04 21:35:44 UTC 
*** Bug 611019 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-07-04 21:36:59 UTC 
*** Bug 611024 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2010-07-04 21:37:39 UTC 
*** Bug 611025 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2010-07-04 21:38:46 UTC 
*** Bug 611026 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2010-07-04 21:39:33 UTC 
*** Bug 611028 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2010-07-04 21:39:57 UTC 
*** Bug 611030 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2010-07-04 21:40:37 UTC 
*** Bug 611031 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Grepl 2010-07-04 21:42:35 UTC 
*** Bug 611032 has been marked as a duplicate of this bug. ***
Comment 10 Bart Kus 2010-07-05 16:37:22 UTC 
Created attachment 429561 [details]
Audit log of zoneminder (and possibly other) SELinux events

Providing requested audit.log file.
Comment 11 Miroslav Grepl 2010-11-03 15:45:15 UTC 
Thanks for your audit.log. The problem is the zoneminder has a lot of issues so I am moving the bug to F14 and I will re-check the zoneminder.
Comment 12 Fedora Admin XMLRPC Client 2010-11-08 21:53:14 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 13 Fedora Admin XMLRPC Client 2010-11-08 21:54:56 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Fedora Admin XMLRPC Client 2010-11-08 21:55:33 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Daniel Walsh 2011-05-26 20:47:41 UTC 
Is this fixed in the current release?
Comment 16 Miroslav Grepl 2011-05-27 08:03:40 UTC 
Not yet. There were some issues in the zoneminder code which I need to review.
Comment 17 Lam Ho Yin Bosco 2011-08-13 08:20:54 UTC 
I have disabled selinux and still got this error...

Fedora release 15 (Lovelock)
==> /var/log/messages <==
Aug 14 00:18:27 localhost zmdc[3008]: INF ['zmc -d /dev/video0' starting at 11/08/14 00:18:27, pid = 3197]
Aug 14 00:18:27 localhost zmdc[3197]: INF ['zmc -d /dev/video0' started at 11/08/14 00:18:27]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: INF [Debug Level = 0, Debug Log = <none>]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: INF [Starting Capture]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: WAR [Hue control is not suppported]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: WAR [Saturation control is not suppported]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [Got signal 11 (Segmentation fault), crashing]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Signal address is 0x10206, no eip]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libpthread.so.0(+0xeef0) [0x7fc50fa2cef0]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libc.so.6(+0x1329bb) [0x7fc50f31d9bb]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x418541]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x420157]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x40545a]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libc.so.6(__libc_start_main+0xed) [0x7fc50f20c39d]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x4057e1]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [Backtrace complete, please execute the following command for more information]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [addr2line -e /usr/bin/zmc() 0x7fc50fa2cef0 0x7fc50f31d9bb 0x418541 0x420157 0x40545a 0x7fc50f20c39d 0x4057e1]
Comment 18 Daniel Walsh 2011-08-15 11:07:37 UTC 
Then open a bug on that package.