Summary: SELinux is preventing /usr/bin/perl "write" access on zmdc.sock. This happens in F13 after /etc/php.ini is modified to set short_open_tag = On so that zoneminder's /usr/share/zoneminder/www/includes/functions.php file does not report a php parse error. The package does not work otherwise. Detailed Description: SELinux denied access requested by zmdc.pl. It is not expected that this access is required by zmdc.pl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:tmp_t:s0 Target Objects zmdc.sock [ sock_file ] Source zmdc.pl Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.10.1-112.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-28.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.5-124.fc13.i686 #1 SMP Fri Jun 11 09:48:40 UTC 2010 i686 i686 Alert Count 2 First Seen Fri 02 Jul 2010 10:48:15 PM PDT Last Seen Fri 02 Jul 2010 10:53:15 PM PDT Local ID af890b81-278b-4e76-83d8-f847169d3211 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1278136395.689:27417): avc: denied { write } for pid=3118 comm="zmdc.pl" name="zmdc.sock" dev=dm-1 ino=82666 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file node=(removed) type=SYSCALL msg=audit(1278136395.689:27417): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff46550 a2=da9d6c a3=93bf008 items=0 ppid=2920 pid=3118 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="zmdc.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from catchall,zmdc.pl,httpd_t,tmp_t,sock_file,write audit2allow suggests: #============= httpd_t ============== allow httpd_t tmp_t:sock_file write;
Bart, all these your bugs are caused by zoneminder, which is running as initrc_t domain. It means zoneminder needs policy. You can do the following steps as workaround 1. chcon -t httpd_sys_script_exec_t /usr/libexec/zoneminder/cgi-bin/* 2. setenforce 0 3. run zoneminder 4. setenforce 1 5. add local policy using grep avc /var/log/audit/audit.log | audit2allow -M myzoneminder semodule -i myzoneminder.pp Will fix for now and I will write zoneminder policy. Also please send me your compressed /var/log/audit/audit.log. Thanks.
*** Bug 611019 has been marked as a duplicate of this bug. ***
*** Bug 611024 has been marked as a duplicate of this bug. ***
*** Bug 611025 has been marked as a duplicate of this bug. ***
*** Bug 611026 has been marked as a duplicate of this bug. ***
*** Bug 611028 has been marked as a duplicate of this bug. ***
*** Bug 611030 has been marked as a duplicate of this bug. ***
*** Bug 611031 has been marked as a duplicate of this bug. ***
*** Bug 611032 has been marked as a duplicate of this bug. ***
Created attachment 429561 [details] Audit log of zoneminder (and possibly other) SELinux events Providing requested audit.log file.
Thanks for your audit.log. The problem is the zoneminder has a lot of issues so I am moving the bug to F14 and I will re-check the zoneminder.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Is this fixed in the current release?
Not yet. There were some issues in the zoneminder code which I need to review.
I have disabled selinux and still got this error... Fedora release 15 (Lovelock) ==> /var/log/messages <== Aug 14 00:18:27 localhost zmdc[3008]: INF ['zmc -d /dev/video0' starting at 11/08/14 00:18:27, pid = 3197] Aug 14 00:18:27 localhost zmdc[3197]: INF ['zmc -d /dev/video0' started at 11/08/14 00:18:27] Aug 14 00:18:27 localhost zmc_dvideo0[3197]: INF [Debug Level = 0, Debug Log = <none>] Aug 14 00:18:27 localhost zmc_dvideo0[3197]: INF [Starting Capture] Aug 14 00:18:27 localhost zmc_dvideo0[3197]: WAR [Hue control is not suppported] Aug 14 00:18:27 localhost zmc_dvideo0[3197]: WAR [Saturation control is not suppported] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [Got signal 11 (Segmentation fault), crashing] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Signal address is 0x10206, no eip] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libpthread.so.0(+0xeef0) [0x7fc50fa2cef0]] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libc.so.6(+0x1329bb) [0x7fc50f31d9bb]] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x418541]] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x420157]] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x40545a]] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libc.so.6(__libc_start_main+0xed) [0x7fc50f20c39d]] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x4057e1]] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [Backtrace complete, please execute the following command for more information] Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [addr2line -e /usr/bin/zmc() 0x7fc50fa2cef0 0x7fc50f31d9bb 0x418541 0x420157 0x40545a 0x7fc50f20c39d 0x4057e1]
Then open a bug on that package.