Description of problem: When motion is configured, so it will have HTTP Based Control interface, one will have something like below in the /etc/motion/motion.conf and SELinux does not permit. " ############################################################ # HTTP Based Control ############################################################ # TCP/IP port for the http server to listen on (default: 0 = disabled) # Note! Also SElinux must be configured: # semanage port -a -t transproxy_port_t -p tcp 8082 webcontrol_port 8082 # Restrict control connections to localhost only (default: on) webcontrol_localhost on # Output for http server, select off to choose raw text plain (default: on) webcontrol_html_output on # Authentication for the http based control. Syntax username:password # Default: not defined (Disabled) ; webcontrol_authentication username:password " SELinux is preventing /usr/bin/motion from 'accept' accesses on the tcp_socket . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that motion should be allowed accept access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep motion /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:motion_t:s0 Target Context system_u:system_r:motion_t:s0 Target Objects [ tcp_socket ] Source motion Source Path /usr/bin/motion Port <Unknown> Host (removed) Source RPM Packages motion-3.3.0-trunkREV557.9.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.13.9-200.fc20.x86_64 #1 SMP Fri Apr 4 12:13:05 UTC 2014 x86_64 x86_64 Alert Count 48 First Seen 2014-04-26 20:11:50 EEST Last Seen 2014-04-26 20:13:56 EEST Local ID d6941742-4397-4cad-b086-50d67480a2de Raw Audit Messages type=AVC msg=audit(1398532436.626:94563): avc: denied { accept } for pid=11800 comm="motion" laddr=127.0.0.1 lport=8082 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:system_r:motion_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1398532436.626:94563): arch=x86_64 syscall=accept success=no exit=EACCES a0=6 a1=7f412ada9d90 a2=7f412ada9d44 a3=0 items=0 ppid=1 pid=11800 auid=4294967295 uid=491 gid=39 euid=491 suid=491 fsuid=491 egid=39 sgid=39 fsgid=39 ses=4294967295 tty=(none) comm=motion exe=/usr/bin/motion subj=system_u:system_r:motion_t:s0 key=(null) Hash: motion,motion_t,motion_t,tcp_socket,accept Additional info: reporter: libreport-2.2.1 hashmarkername: setroubleshoot kernel: 3.13.9-200.fc20.x86_64 type: libreport
That part above from /etc/motion/motion.conf: " # Note! Also SElinux must be configured: # semanage port -a -t transproxy_port_t -p tcp 8082 " ...was something I've written there for myself to remember. And the SELinux Audit Messages come when is tried to connect to localhost:8081 (streaming) or localhost:8082 (controlling), and if those were configured in motion.conf The port 8081 comes from this in motion.conf: " ############################################################ # Live Stream Server ############################################################ # The mini-http server listens to this port for requests (default: 0 = disabled) # stream_port 8081 "
commit da4de1d2aa818fb7fbd6fed97b3d2da3e4d3f44d Author: Miroslav Grepl <mgrepl> Date: Mon Apr 28 09:47:41 2014 +0200 Add support for us_cli ports commit 2ec9a99cb2b50bb1cabd74bfdefe974e73cd9cea Author: Miroslav Grepl <mgrepl> Date: Mon Apr 28 09:46:10 2014 +0200 ALlow motion to use tcp/8082 port
selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20
Package selinux-policy-3.12.1-161.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20 then log in and leave karma (feedback).
Did install that. Is there a policy to allow now motion to listen port 8082, or generally all ports over 1024? Or for example ports 8081 - 8100 ? I was not quite clear above about it. The SELinux alerts were about 8082, but same kind of issue is for 8081. So motion needs two TCP ports to listen if user wishes. Motion, by its default configuration, wants to use both port 8081 and 8082 (are also user configurable). Port 8081 is for streaming the same video which has gone through motion system, and port 8082 is for controlling. From /etc/motion/motion.conf: " # The mini-http server listens to this port for requests (default: 0 = disabled) stream_port 8081 # TCP/IP port for the http server to listen on (default: 0 = disabled) webcontrol_port 8082 " But I do not know if it is wise to dedicate ports 8081 and 8082 to motion in SELinux policy, because other programs may want to use those ports also. Maybe just would allow some range, like 8081 - 8100, and that would be also patched as a comment to default configuration file in motion rpm package for Fedora.
Hi, We allowed motion to bind on ports 8081 and 8082. Thank you for your report.
Package selinux-policy-3.12.1-163.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-163.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
I can confirm (little late, I forgot) it works now at least for me. Can get the passed through web cam image via port localhost:8081 and also can configure motion through port localhost:8082, with a web browser. And no SELinux warnings or errors anymore.