Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 611016 - SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.
SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:15359d0620a...
:
: 611019 611024 611025 611026 611028 611030 611031 611032 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-03 01:59 EDT by Bart Kus
Modified: 2011-11-21 12:05 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-21 12:05:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Audit log of zoneminder (and possibly other) SELinux events (9.28 KB, application/x-gzip)
2010-07-05 12:37 EDT, Bart Kus
no flags Details

  None (edit)
Description Bart Kus 2010-07-03 01:59:18 EDT
Summary:

SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.  This happens in F13 after /etc/php.ini is modified to set short_open_tag = On so that zoneminder's /usr/share/zoneminder/www/includes/functions.php file does not report a php parse error.  The package does not work otherwise.

Detailed Description:

SELinux denied access requested by zmdc.pl. It is not expected that this access
is required by zmdc.pl and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:tmp_t:s0
Target Objects                zmdc.sock [ sock_file ]
Source                        zmdc.pl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.10.1-112.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.5-124.fc13.i686 #1 SMP
                              Fri Jun 11 09:48:40 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Fri 02 Jul 2010 10:48:15 PM PDT
Last Seen                     Fri 02 Jul 2010 10:53:15 PM PDT
Local ID                      af890b81-278b-4e76-83d8-f847169d3211
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1278136395.689:27417): avc:  denied  { write } for  pid=3118 comm="zmdc.pl" name="zmdc.sock" dev=dm-1 ino=82666 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file

node=(removed) type=SYSCALL msg=audit(1278136395.689:27417): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff46550 a2=da9d6c a3=93bf008 items=0 ppid=2920 pid=3118 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="zmdc.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  catchall,zmdc.pl,httpd_t,tmp_t,sock_file,write
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t tmp_t:sock_file write;
Comment 1 Miroslav Grepl 2010-07-04 17:34:58 EDT
Bart,

all these your bugs are caused by zoneminder, which is running as initrc_t domain. It means zoneminder needs policy.

You can do the following steps as workaround

1. chcon -t httpd_sys_script_exec_t /usr/libexec/zoneminder/cgi-bin/* 
2. setenforce 0
3. run zoneminder
4. setenforce 1
5. add local policy using

grep avc /var/log/audit/audit.log | audit2allow -M myzoneminder
semodule -i myzoneminder.pp

Will fix for now and I will write zoneminder policy. Also please send me your compressed /var/log/audit/audit.log.

Thanks.
Comment 2 Miroslav Grepl 2010-07-04 17:35:44 EDT
*** Bug 611019 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-07-04 17:36:59 EDT
*** Bug 611024 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2010-07-04 17:37:39 EDT
*** Bug 611025 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2010-07-04 17:38:46 EDT
*** Bug 611026 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2010-07-04 17:39:33 EDT
*** Bug 611028 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2010-07-04 17:39:57 EDT
*** Bug 611030 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2010-07-04 17:40:37 EDT
*** Bug 611031 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Grepl 2010-07-04 17:42:35 EDT
*** Bug 611032 has been marked as a duplicate of this bug. ***
Comment 10 Bart Kus 2010-07-05 12:37:22 EDT
Created attachment 429561 [details]
Audit log of zoneminder (and possibly other) SELinux events

Providing requested audit.log file.
Comment 11 Miroslav Grepl 2010-11-03 11:45:15 EDT
Thanks for your audit.log. The problem is the zoneminder has a lot of issues so I am moving the bug to F14 and I will re-check the zoneminder.
Comment 12 Fedora Admin XMLRPC Client 2010-11-08 16:53:14 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 13 Fedora Admin XMLRPC Client 2010-11-08 16:54:56 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Fedora Admin XMLRPC Client 2010-11-08 16:55:33 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Daniel Walsh 2011-05-26 16:47:41 EDT
Is this fixed in the current release?
Comment 16 Miroslav Grepl 2011-05-27 04:03:40 EDT
Not yet. There were some issues in the zoneminder code which I need to review.
Comment 17 Lam Ho Yin Bosco 2011-08-13 04:20:54 EDT
I have disabled selinux and still got this error...

Fedora release 15 (Lovelock)
==> /var/log/messages <==
Aug 14 00:18:27 localhost zmdc[3008]: INF ['zmc -d /dev/video0' starting at 11/08/14 00:18:27, pid = 3197]
Aug 14 00:18:27 localhost zmdc[3197]: INF ['zmc -d /dev/video0' started at 11/08/14 00:18:27]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: INF [Debug Level = 0, Debug Log = <none>]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: INF [Starting Capture]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: WAR [Hue control is not suppported]
Aug 14 00:18:27 localhost zmc_dvideo0[3197]: WAR [Saturation control is not suppported]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [Got signal 11 (Segmentation fault), crashing]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Signal address is 0x10206, no eip]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libpthread.so.0(+0xeef0) [0x7fc50fa2cef0]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libc.so.6(+0x1329bb) [0x7fc50f31d9bb]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x418541]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x420157]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x40545a]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /lib64/libc.so.6(__libc_start_main+0xed) [0x7fc50f20c39d]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: ERR [Backtrace: /usr/bin/zmc() [0x4057e1]]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [Backtrace complete, please execute the following command for more information]
Aug 14 00:18:28 localhost zmc_dvideo0[3197]: INF [addr2line -e /usr/bin/zmc() 0x7fc50fa2cef0 0x7fc50f31d9bb 0x418541 0x420157 0x40545a 0x7fc50f20c39d 0x4057e1]
Comment 18 Daniel Walsh 2011-08-15 07:07:37 EDT
Then open a bug on that package.

Note You need to log in before you can comment on or make changes to this bug.