Hide Forgot
Description of problem: Enabling motion webcontrol is not possible without SELinux policy changes (or disabling SELinux). It would be nice if this was possible. The problem is that when using the following *non-default* (default is disabled) setting in /etc/motion/motion.conf: ############################################################ # HTTP Based Control ############################################################ # TCP/IP port for the http server to listen on (default: 0 = disabled) webcontrol_port 8080 ...with the current F19 selinux-policy: # rpm -q selinux-policy selinux-policy-3.12.1-74.14.fc19.noarch ...we get this in journalctl: Dec 05 00:40:12 [...] setroubleshoot[22691]: SELinux is preventing /usr/bin/motion from accept access on the tcp_socket . For complete SELinux messages. run sealert -l [...] ...and this is the sealert message: SELinux is preventing /usr/bin/motion from accept access on the tcp_socket . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that motion should be allowed accept access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep motion /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:motion_t:s0 Target Context system_u:system_r:motion_t:s0 Target Objects [ tcp_socket ] Source motion Source Path /usr/bin/motion Port <Unknown> Host tv Source RPM Packages motion-3.3.0-trunkREV557.11.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.14.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tv
Martin, could play around # semanage permissive -a motion_t re-test it # ausearch -m avc -ts recent # semanage permissive -d motion_t Thank you.
Hi Miroslav, Unfortunately I didn't have time to test that fully. I've updated to F20 and with this policy: # rpm -q selinux-policy selinux-policy-3.12.1-166.fc20.noarch ...and: systemctl stop motion semanage permissive -d motion_t systemctl start motion ...I can't reproduce the issue: I see no related AVCs and the web interface works. If I use: semanage permissive -a motion_t ...I of course see no AVCs. I'm not sure if it's fixed or my other local motion policies (below) are affecting the outcome, despite being inactive: # # semodule -l | grep motion motion-pol 1.0 Disabled motion-pol2 1.0 Disabled motion 1.0.0 # cat motion-pol.te module motion-pol 1.0; require { type home_root_t; type motion_t; class tcp_socket accept; class dir search; } #============= motion_t ============== allow motion_t home_root_t:dir search; #!!!! This avc is allowed in the current policy allow motion_t self:tcp_socket accept; # cat motion-pol2.te module motion-pol2 1.0; require { type motion_t; class tcp_socket accept; } #============= motion_t ============== allow motion_t self:tcp_socket accept;
Hi, It looks like we fixed this in F20 so I backport changes from F20 to F19.
Thanks very much!