Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files video0. Happens when trying to view a video stream from the zoneminder web UI. Detailed Description: SELinux has denied the httpd access to potentially mislabeled files video0. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, squirrelmail_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of video0 so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'video0'. where FILE_TYPE is one of the following: squirrelmail_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects video0 [ lnk_file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.15-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-28.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.33.5-124.fc13.i686 #1 SMP Fri Jun 11 09:48:40 UTC 2010 i686 i686 Alert Count 1 First Seen Fri 02 Jul 2010 11:22:44 PM PDT Last Seen Fri 02 Jul 2010 11:22:44 PM PDT Local ID 86299e1d-039a-4bf0-a776-a82cdfee7435 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1278138164.391:27441): avc: denied { create } for pid=2919 comm="httpd" name="video0" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file node=(removed) type=SYSCALL msg=audit(1278138164.391:27441): arch=40000003 syscall=83 success=no exit=-13 a0=b773adb8 a1=bfcdab9c a2=131ad1c a3=bfcd9b9c items=0 ppid=2912 pid=2919 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,var_lib_t,lnk_file,create audit2allow suggests: #============= httpd_t ============== allow httpd_t var_lib_t:lnk_file create;
*** This bug has been marked as a duplicate of bug 611016 ***