2218103 – zoneminder related blockings

Bug 2218103 - zoneminder related blockings

Summary: zoneminder related blockings

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-28 07:21 UTC by Marek Greško
Modified:	2023-06-28 11:03 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marek Greško 2023-06-28 07:21:35 UTC

Hello,

I observe several zoneminder related blockings:

avc:  denied  { read open } for  pid=5367 comm="sh" path="/usr/bin/zmpkg.pl" dev="dm-1" ino=2363760 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:zoneminder_exec_t:s0 tclass=file permissive=1
avc:  denied  { ioctl } for  pid=5367 comm="zmpkg.pl" path="/usr/bin/zmpkg.pl" dev="dm-1" ino=2363760 ioctlcmd=0x5401 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:zoneminder_exec_t:s0 tclass=file permissive=1
avc:  denied  { write } for  pid=5398 comm="zmdc.pl" name="zmdc.sock" dev="sdc1" ino=2621442 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:zoneminder_var_lib_t:s0 tclass=sock_file permissive=1
avc:  denied  { connectto } for  pid=5398 comm="zmdc.pl" path="/mnt/zm/sock/zmdc.sock" scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket permissive=1
avc:  denied  { create } for  pid=2015 comm="php-fpm" name="css_reset-base-1677188641.css" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file permissive=1
avc:  denied  { sendto } for  pid=23256 comm="nph-zms" path="/mnt/zm/sock/zms-589985w.sock" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_dgram_socket permissive=1
avc:  denied  { search } for  pid=23256 comm="nph-zms" name="zoneminder" dev="dm-2" ino=131579 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1
avc:  denied  { write } for  pid=23256 comm="nph-zms" name="zoneminder" dev="dm-2" ino=131579 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1
avc:  denied  { add_name } for  pid=23256 comm="nph-zms" name="zms_e62717.log" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1
avc:  denied  { create } for  pid=23256 comm="nph-zms" name="zms_e62717.log" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=file permissive=1
avc:  denied  { append open } for  pid=23256 comm="nph-zms" path="/var/log/zoneminder/zms_e62717.log" dev="dm-2" ino=131629 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=file permissive=1
avc:  denied  { getattr } for  pid=23256 comm="nph-zms" path="/var/log/zoneminder/zms_e62717.log" dev="dm-2" ino=131629 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=file permissive=1
avc:  denied  { sendto } for  pid=23287 comm="nph-zms" path="/mnt/zm/sock/zms-832389w.sock" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_dgram_socket permissive=1
avc:  denied  { search } for  pid=23287 comm="nph-zms" name="zoneminder" dev="dm-2" ino=131579 scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=1
avc:  denied  { sendto } for  pid=23335 comm="nph-zms" path="/mnt/zm/sock/zms-469663w.sock" scontext=system_u:system_r:zoneminder_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_dgram_socket permissive=1
avc:  denied  { map } for  pid=2018 comm="php-fpm" path="/mnt/zm/events/1/2023-06-27/62717/snapshot-48x27.jpg" dev="sdc1" ino=9975030 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zoneminder_var_lib_t:s0 tclass=file permissive=1

Thanks

Marek


Reproducible: Always

Comment 1 Zdenek Pytela 2023-06-28 08:27:31 UTC

Marek,

I cannot find such a package in Fedora. Most of the permission seem to be meaningful, but should be addressed in a local policy.

This one does not feel right:
avc:  denied  { create } for  pid=2015 comm="php-fpm" name="css_reset-base-1677188641.css" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file permissive=1

Comment 2 Marek Greško 2023-06-28 11:00:10 UTC

Hello,

zoneminder is a part of rpmfusion-free repository. Fedora apparently is knowing of it, since file_contexts file contains /usr/bin/zmpkg.pl --      system_u:object_r:zoneminder_exec_t:s0. If it is not intent then the targeted policy should not touch the software and it should not be affected by it, but apparently is. Why?

Thanks

Marek

Note You need to log in before you can comment on or make changes to this bug.