Bug 965714 - Zoneminder will not start with Selinux in Enforcing Mode
Zoneminder will not start with Selinux in Enforcing Mode
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-21 11:26 EDT by Tristan Santore
Modified: 2014-12-19 13:29 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.30.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-19 13:29:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Zoneminder Policy with TE and FC files enclosed. (671 bytes, application/x-tgz)
2013-05-21 11:26 EDT, Tristan Santore
no flags Details

  None (edit)
Description Tristan Santore 2013-05-21 11:26:07 EDT
Created attachment 751227 [details]
Zoneminder Policy with TE and FC files enclosed.

Description of problem:
Zoneminder, a cctv monitoring system, fails to start with the current selinux zoneminder 1.0.0 policy.


Version-Release number of selected component (if applicable):
Any, also applies to F17 apparently.

How reproducible:
Restart zoneminder and it fails with various errors, including an obscure pam error.
Also requires apache to have access to parts as it is used as the front-end of zoneminder.

Steps to Reproduce:
1.service zoneminder restart or systemctl equivalent

Actual results:
Zoneminder does not start with errors and denials, including non-audit logged pam denial. Bug will be filed against pam.

Expected results:
Zoneminder should start happily with no errors.

Additional info:

Policy added in text format ( attached) for fix to current policy.
Thanks to Dominick Grift, Dan Walsh (for that nasty pam issue hint, which doesnt log to auditd).

File attachment in tar  with two files and paste in text format below!

To compile:

make -f /usr/share/selinux/devel/Makefile myzonem.pp

Install:
semodule -i myzonem.pp

File myzonem.fc:

/usr/bin/zmdc.pl  -- gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)

File myzonem.te:

policy_module(myzonem, 1.0.0)
gen_require(` type zoneminder_t; ')
domain_read_all_domains_state(zoneminder_t)
logging_send_audit_msgs(zoneminder_t)
sudo_exec(zoneminder_t)
su_exec(zoneminder_t)
allow zoneminder_t self:process setrlimit;
allow zoneminder_t self:capability { setuid setgid sys_resource };
gen_require(`type httpd_zoneminder_script_exec_t; ')
can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
gen_require(` type zoneminder_var_lib_t; ')
manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
dbus_system_bus_client(zoneminder_t)
selinux_compute_access_vector(zoneminder_t)
allow zoneminder_t self:process setsched;
  
         
allow zoneminder_t self:key write;
auth_rw_lastlog(zoneminder_t)
systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
systemd_dbus_chat_logind(zoneminder_t)
gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;
            
require {
            class passwd { rootok };
            type httpd_t;
        }
allow zoneminder_t self:passwd rootok;
fs_search_tmpfs(httpd_zoneminder_script_t)
Comment 1 Bill Gradwohl 2013-05-29 11:09:28 EDT
I tried this fix on a fully patched F17 and I'm still getting sealerts and zoneminder's log is showing permission denied events.

From the log:
socket_bind( /var/lib/zoneminder/sock/zms-857784w.sock ) failed: Permission denied  :  /usr/share/zoneminder/www/includes/functions.php

I'm new to zoneminder so I'm still learning how it works and don't know if these failures are just a nuisance or something to worry about. It appears to work OK but as I'm not sure what a flawlessly performing system looks like I don't really know if I'm missing something or not.

Going back to selinux disabled for now.

If F18 is going to get rid of all the zoneminder selinux issues, I'll upgrade to F18. I'd like to know if that's the plan or is F19 more likely.

BTW - If you could suggest a good book on selinux, I'd appreciate it.
Comment 2 Tristan Santore 2013-05-29 14:05:13 EDT
Here is a new policy with some fixes for alarm states. There is also one issue I am currently investigating, so I will highlight that separately, as we are not sure yet if that access is really required.

allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read write };

This is the extra currently being investigated.

An amended policy that fixes the alarm state is attached below (save us myzonem.te):


        policy_module(myzonem, 1.0.0)
        gen_require(` type zoneminder_t; ')
        domain_read_all_domains_state(zoneminder_t)
        logging_send_audit_msgs(zoneminder_t)
        sudo_exec(zoneminder_t)
        su_exec(zoneminder_t)
        allow zoneminder_t self:process setrlimit;
        allow zoneminder_t self:capability { setuid setgid sys_resource };
        gen_require(`type httpd_zoneminder_script_exec_t; ')
        can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
        gen_require(` type zoneminder_var_lib_t; ')
        manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
        dbus_system_bus_client(zoneminder_t)
        selinux_compute_access_vector(zoneminder_t)
        allow zoneminder_t self:process setsched;


        allow zoneminder_t self:key write;
        auth_rw_lastlog(zoneminder_t)
        systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
        systemd_dbus_chat_logind(zoneminder_t)
        gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
        read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
        rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
        manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
        manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
        allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;

        require {
                class passwd { rootok };
                type httpd_t;
        }
        allow zoneminder_t self:passwd rootok;
        fs_search_tmpfs(httpd_zoneminder_script_t)


#new fix for alarm states
allow httpd_t zoneminder_var_lib_t:dir { write add_name remove_name };
allow httpd_t zoneminder_var_lib_t:sock_file { create write unlink };
allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
allow httpd_zoneminder_script_t httpd_t:unix_dgram_socket sendto;
allow httpd_t zoneminder_tmpfs_t:file { read write open getattr };
Comment 3 Bill Gradwohl 2013-05-29 14:49:17 EDT
Tried the above and still get these sealerts:

SELinux is preventing /usr/bin/su from execute access on the file /usr/bin/xauth.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that su should be allowed execute access on the xauth file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep su /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:zoneminder_t:s0
Target Context                system_u:object_r:xauth_exec_t:s0
Target Objects                /usr/bin/xauth [ file ]
Source                        su
Source Path                   /usr/bin/su
Port                          <Unknown>
Host                          box2.private.ycc
Source RPM Packages           coreutils-8.15-10.fc17.x86_64
Target RPM Packages           xorg-x11-xauth-1.0.7-1.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-169.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     box2.private.ycc
Platform                      Linux box2.private.ycc 3.8.13-100.fc17.x86_64 #1
                              SMP Mon May 13 13:36:17 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-29 12:35:25 CST
Last Seen                     2013-05-29 12:35:25 CST
Local ID                      100e3c77-76e0-4f54-9340-c2789f2ef90f

Raw Audit Messages
type=AVC msg=audit(1369852525.455:185): avc:  denied  { execute } for  pid=2055 comm="su" name="xauth" dev="sda3" ino=13901075 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1369852525.455:185): arch=x86_64 syscall=access success=yes exit=0 a0=7fa90e3665fb a1=1 a2=2 a3=4000 items=0 ppid=1985 pid=2055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=su exe=/usr/bin/su subj=system_u:system_r:zoneminder_t:s0 key=(null)

Hash: su,zoneminder_t,xauth_exec_t,file,execute

audit2allow

#============= zoneminder_t ==============
allow zoneminder_t xauth_exec_t:file execute;

audit2allow -R

#============= zoneminder_t ==============
allow zoneminder_t xauth_exec_t:file execute;

SELinux is preventing /usr/bin/su from search access on the directory kernel.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that su should be allowed search access on the kernel directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep su /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:zoneminder_t:s0
Target Context                system_u:object_r:sysctl_kernel_t:s0
Target Objects                kernel [ dir ]
Source                        su
Source Path                   /usr/bin/su
Port                          <Unknown>
Host                          box2.private.ycc
Source RPM Packages           coreutils-8.15-10.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-169.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     box2.private.ycc
Platform                      Linux box2.private.ycc 3.8.13-100.fc17.x86_64 #1
                              SMP Mon May 13 13:36:17 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-29 12:35:25 CST
Last Seen                     2013-05-29 12:35:25 CST
Local ID                      18893635-7920-4c9d-befa-dd90993f0f47

Raw Audit Messages
type=AVC msg=audit(1369852525.388:183): avc:  denied  { search } for  pid=2055 comm="su" name="kernel" dev="proc" ino=8077 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir


type=AVC msg=audit(1369852525.388:183): avc:  denied  { read } for  pid=2055 comm="su" name="ngroups_max" dev="proc" ino=15214 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file


type=AVC msg=audit(1369852525.388:183): avc:  denied  { open } for  pid=2055 comm="su" path="/proc/sys/kernel/ngroups_max" dev="proc" ino=15214 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file


type=SYSCALL msg=audit(1369852525.388:183): arch=x86_64 syscall=open success=yes exit=EIO a0=7fa9197ddc85 a1=0 a2=0 a3=8 items=0 ppid=1985 pid=2055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=su exe=/usr/bin/su subj=system_u:system_r:zoneminder_t:s0 key=(null)

Hash: su,zoneminder_t,sysctl_kernel_t,dir,search

audit2allow

#============= zoneminder_t ==============
allow zoneminder_t sysctl_kernel_t:dir search;
allow zoneminder_t sysctl_kernel_t:file { read open };

audit2allow -R

#============= zoneminder_t ==============
allow zoneminder_t sysctl_kernel_t:dir search;
allow zoneminder_t sysctl_kernel_t:file { read open };

SELinux is preventing /usr/bin/perl from getattr access on the file /etc/shadow.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed getattr access on the shadow file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep zmpkg.pl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:zoneminder_t:s0
Target Context                system_u:object_r:shadow_t:s0
Target Objects                /etc/shadow [ file ]
Source                        zmpkg.pl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          box2.private.ycc
Source RPM Packages           perl-5.14.4-225.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-169.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     box2.private.ycc
Platform                      Linux box2.private.ycc 3.8.13-100.fc17.x86_64 #1
                              SMP Mon May 13 13:36:17 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-29 12:35:10 CST
Last Seen                     2013-05-29 12:35:10 CST
Local ID                      f822823f-52a5-476e-b103-a4366eb8b577

Raw Audit Messages
type=AVC msg=audit(1369852510.143:161): avc:  denied  { getattr } for  pid=1985 comm="zmpkg.pl" path="/etc/shadow" dev="sda3" ino=9570591 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file


type=SYSCALL msg=audit(1369852510.143:161): arch=x86_64 syscall=fstat success=yes exit=0 a0=6 a1=7fff9b236740 a2=7fff9b236740 a3=0 items=0 ppid=1984 pid=1985 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=zmpkg.pl exe=/usr/bin/perl subj=system_u:system_r:zoneminder_t:s0 key=(null)

Hash: zmpkg.pl,zoneminder_t,shadow_t,file,getattr

audit2allow

#============= zoneminder_t ==============
allow zoneminder_t shadow_t:file getattr;

audit2allow -R

#============= zoneminder_t ==============
allow zoneminder_t shadow_t:file getattr;

SELinux is preventing /usr/bin/perl from read access on the file /etc/shadow.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed read access on the shadow file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep zmpkg.pl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:zoneminder_t:s0
Target Context                system_u:object_r:shadow_t:s0
Target Objects                /etc/shadow [ file ]
Source                        zmpkg.pl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          box2.private.ycc
Source RPM Packages           perl-5.14.4-225.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-169.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     box2.private.ycc
Platform                      Linux box2.private.ycc 3.8.13-100.fc17.x86_64 #1
                              SMP Mon May 13 13:36:17 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-29 12:35:10 CST
Last Seen                     2013-05-29 12:35:10 CST
Local ID                      21825d6b-7c5b-4cec-8f06-d9c9ccc0fe07

Raw Audit Messages
type=AVC msg=audit(1369852510.143:160): avc:  denied  { read } for  pid=1985 comm="zmpkg.pl" name="shadow" dev="sda3" ino=9570591 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file


type=AVC msg=audit(1369852510.143:160): avc:  denied  { open } for  pid=1985 comm="zmpkg.pl" path="/etc/shadow" dev="sda3" ino=9570591 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file


type=SYSCALL msg=audit(1369852510.143:160): arch=x86_64 syscall=open success=yes exit=ENXIO a0=7f078e3b96eb a1=80000 a2=1b6 a3=238 items=0 ppid=1984 pid=1985 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=zmpkg.pl exe=/usr/bin/perl subj=system_u:system_r:zoneminder_t:s0 key=(null)

Hash: zmpkg.pl,zoneminder_t,shadow_t,file,read

audit2allow

#============= zoneminder_t ==============
allow zoneminder_t shadow_t:file { read open };

audit2allow -R

#============= zoneminder_t ==============
allow zoneminder_t shadow_t:file { read open };





I know this has nothing to do with you, but every time zoneminder is started, it puts an entry into its log :

zmfix - ERR - Can't stat: No such file or directory. - zmfix.cpp

.cpp should be a C++ app, but all I see are perl scripts.
Comment 4 Bill Gradwohl 2013-05-29 14:50:50 EDT
I should have added that I don't see any odd log entries. but I've only had it up a few minutes. If any appear I'll report them.
Comment 5 Tristan Santore 2013-07-03 01:14:43 EDT
I have had time to prod zoneminder again. This time I enabled email sending of events. I was hoping at the time that the httpd_can_sendmail --> on bool, would allow email sending in zoneminder, but it does not.

I had to add the following entries into the policy module for zoneminder.

gen_require(` type smtp_port_t, sendmail_exec_t; ')
allow zoneminder_t smtp_port_t:tcp_socket name_connect;
allow zoneminder_t sendmail_exec_t:file getattr;


Miroslav or Dan,

if you guys could add those I would be grateful. Might be cool to have a boolean for zoneminder to allow email sending, also there is till the FTP stuff outstanding. Potentially also X10 stuff, however, as I do not own X10 hardware, I cannot test it, somebody else with X10 hardware will have to step in.

In terms of an ftp, when I have time I will set one up, then see what denials I get.

Regards,

Tristan
Comment 6 Miroslav Grepl 2013-07-03 04:23:15 EDT
Ok, I am playing with to bring up a solution for zoneminder finally.
Comment 7 Miroslav Grepl 2013-07-03 06:50:54 EDT
Ok, I added a lot of fixes.

commit 878c5568771c7220dac85e70c958fc1c81db381d
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 3 12:50:22 2013 +0200

    Allow zoneminder apache scripts to rw zoneminder tmpfs

commit e27706ea0596acfa734dbb4bf499e3cce3b99d03
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 3 12:49:41 2013 +0200

    Allow httpd to manage zoneminder lib files

commit 13763d2c013d5b07360db072bc19ad600d226fd3
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 3 12:47:48 2013 +0200

    Add zoneminder_run_sudo boolean to allow to start zoneminder

commit 1a7b07c942a9b1117a3a5cce4bcc0f0f54b66267
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 3 10:16:00 2013 +0200

    Allow zoneminder to send mails
Comment 8 Fedora Update System 2013-08-05 01:40:20 EDT
selinux-policy-3.11.1-99.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-99.fc18
Comment 9 Timothy Ward 2013-08-05 02:15:47 EDT
This also happens on Fedora 19 could the selinux-policy for fedora 19 be updated to include the new zoneminder policy.

Regrads

Tim
Comment 10 Tristan Santore 2013-08-05 02:25:16 EDT
Just a little heads up, since the pam changes to address the passwd rootok non-audit issue, my dreaded sudo audit stuff is back in the logs, meaning it is being denied. I will have to check, if this policy works and addresses the now apparent issue. So, be warned, zoneminder might not be functional with this update.
I will update when I have more information, including a possible fix, if required.

Hopefully, later today, when I wake up I will have the update on the mirror and also have time to test.

Please note also, I still have not set up an FTP, so the policy can add ftp support. Also somebody will have to test X10 stuff, as I do not have any X10 hardware.

Regards,

Tristan
Comment 11 Timothy Ward 2013-08-05 10:06:12 EDT
Thanks for the heads up, I have not tried the package for a while but it was a pain to configure it to work then, it does not look like it has moved forward
with all the changes etc. The point is to move it forward and update whatever has been fixed up to now, no matter what it is, then we can concentrate on the new problems and bugs. I understand it takes time to accomplish but the amount of time to config this program to work at all, will make most users, but not all to give up.

Regards

Tim
Comment 12 Miroslav Grepl 2013-08-05 11:14:59 EDT
Also pls make sure you run

# setsebool -P zoneminder_run_sudo 1
Comment 13 Fedora Update System 2013-08-05 20:13:53 EDT
Package selinux-policy-3.11.1-99.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-99.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14256/selinux-policy-3.11.1-99.fc18
then log in and leave karma (feedback).
Comment 14 Tristan Santore 2013-08-07 06:19:04 EDT
OK, I have had a chance to test this now, and the policy is still very broken indeed. I also have the funny feeling the PAM maintainer has not actually fixed the rootok issue, as I saw no denials. I have not set semodule -DB though.


Anyway, below is the policy I made that fixes the newest zoneminder policy, further details also below.

Miroslav, am I right to assume that zoneminder_anon_write, is that is can write files anywhere ? Not sure this is something anyone would want really, unless this is for people who mount and and do not restore contexts.

rpm -qa|grep selinux
libselinux-utils-2.1.12-7.3.fc18.x86_64
selinux-policy-devel-3.11.1-98.fc18.noarch
selinux-policy-3.11.1-99.fc18.noarch
selinux-policy-doc-3.11.1-98.fc18.noarch
selinux-policy-targeted-3.11.1-99.fc18.noarch
libselinux-python-2.1.12-7.3.fc18.x86_64
libselinux-2.1.12-7.3.fc18.x86_64

getsebool -a|grep zone
zoneminder_anon_write --> off
zoneminder_run_sudo --> on

Please note with the .te I did it step by step, commented out now, then audit2why'd again to get it to tidy the stuff up a little. So, please excuse the mess.

After saving below file do:

make -f /usr/share/selinux/devel/Makefile
semodule -i myzonem2fix.pp
semodule -l |grep zone

Hope this helps.

Regards, Tristan

Save below as myzonem2fix.te:

       policy_module(myzonem2fix, 1.0.0)
gen_require(` type zoneminder_t, httpd_t, httpd_zoneminder_script_t, zoneminder_var_lib_t,zoneminder_tmpfs_t,smtp_port_t,tmpfs_t,initrc_var_run_t,zoneminder_exec_t; ')
require {
                class passwd { rootok };
                class passwd { passwd };
                type httpd_t, chkpwd_exec_t;
        }
#allow zoneminder_t self:passwd rootok;
#allow zoneminder_t chkpwd_exec_t:file execute;
#allow zoneminder_t chkpwd_exec_t:file { read open };
#allow zoneminder_t chkpwd_exec_t:file execute_no_trans;
#allow zoneminder_t self:passwd passwd;


#============= httpd_t ==============
#allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
#allow httpd_t zoneminder_var_lib_t:dir { write search read remove_name open getattr add_name };
#allow httpd_t zoneminder_var_lib_t:file { read getattr open };
#allow httpd_t zoneminder_var_lib_t:sock_file { write create unlink };

#============= httpd_zoneminder_script_t ==============
#allow httpd_zoneminder_script_t httpd_t:unix_dgram_socket sendto;
#allow httpd_zoneminder_script_t tmpfs_t:dir search;
#!!!! This avc is allowed in the current policy

#allow httpd_zoneminder_script_t zoneminder_tmpfs_t:file { read write getattr open };
#allow httpd_zoneminder_script_t zoneminder_var_lib_t:file { read getattr open };

#============= zoneminder_t ==============
#allow zoneminder_t self:netlink_selinux_socket create;

#!!!! This avc can be allowed using the boolean 'nis_enabled'

#allow zoneminder_t smtp_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy

#allow zoneminder_t zoneminder_var_lib_t:lnk_file { read getattr };

#
#
#allow httpd_zoneminder_script_t tmpfs_t:dir search;
#allow zoneminder_t self:netlink_selinux_socket bind;

#============= httpd_t ==============
allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
allow httpd_t zoneminder_exec_t:file getattr;
allow httpd_t zoneminder_t:unix_stream_socket connectto;
allow httpd_t zoneminder_tmpfs_t:file { read write getattr open };
allow httpd_t zoneminder_var_lib_t:dir { write search read remove_name open getattr add_name };
allow httpd_t zoneminder_var_lib_t:file { read write getattr open create };
allow httpd_t zoneminder_var_lib_t:sock_file { write create unlink };

#============= httpd_zoneminder_script_t ==============
allow httpd_zoneminder_script_t httpd_t:unix_dgram_socket sendto;
allow httpd_zoneminder_script_t tmpfs_t:dir search;
allow httpd_zoneminder_script_t zoneminder_tmpfs_t:file { read write getattr open };
allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
allow httpd_zoneminder_script_t zoneminder_var_lib_t:file { read getattr open create };

#============= zoneminder_t ==============
allow zoneminder_t chkpwd_exec_t:file { read execute open execute_no_trans };
allow zoneminder_t self:netlink_selinux_socket { bind create };
allow zoneminder_t self:passwd passwd;
allow zoneminder_t smtp_port_t:tcp_socket name_connect;
allow zoneminder_t zoneminder_var_lib_t:lnk_file { read getattr }

####################################################
# missing httpd stuff below to make web interface work
######################################################
#allow httpd_t initrc_var_run_t:file { read lock open };
#allow httpd_t zoneminder_t:unix_stream_socket connectto;
#allow httpd_t zoneminder_exec_t:file getattr;
#allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir create;
#allow httpd_t zoneminder_tmpfs_t:file { read write };
#allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir rmdir;
#allow httpd_zoneminder_script_t zoneminder_var_lib_t:file create;
#allow httpd_t zoneminder_tmpfs_t:file open;
#allow httpd_t zoneminder_tmpfs_t:file getattr;
#allow httpd_t zoneminder_var_lib_t:file create;
#allow httpd_t zoneminder_var_lib_t:file write;



#============= httpd_t ==============
allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
allow httpd_t initrc_var_run_t:file { read lock open };
allow httpd_t zoneminder_exec_t:file getattr;
allow httpd_t zoneminder_t:unix_stream_socket connectto;
allow httpd_t zoneminder_tmpfs_t:file { read write getattr open };
allow httpd_t zoneminder_var_lib_t:dir { write search read remove_name open getattr add_name };
allow httpd_t zoneminder_var_lib_t:file { read write getattr open create };
allow httpd_t zoneminder_var_lib_t:sock_file { write create unlink };

#============= httpd_zoneminder_script_t ==============
allow httpd_zoneminder_script_t httpd_t:unix_dgram_socket sendto;
allow httpd_zoneminder_script_t tmpfs_t:dir search;
allow httpd_zoneminder_script_t zoneminder_tmpfs_t:file { read write getattr open };
allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
allow httpd_zoneminder_script_t zoneminder_var_lib_t:file { read getattr open create };
Comment 15 Fedora Update System 2013-08-07 07:11:35 EDT
selinux-policy-3.11.1-100.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-100.fc18
Comment 16 Fedora Update System 2013-08-07 18:59:25 EDT
Package selinux-policy-3.11.1-100.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-100.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14399/selinux-policy-3.11.1-100.fc18
then log in and leave karma (feedback).
Comment 17 Timothy Ward 2013-08-07 23:57:20 EDT
On Fedora 19 .686 I get this message


[tim@localhost ~]$ make -f /usr/share/selinux/devel/Makefile
Compiling targeted myzone2fix module
/usr/bin/checkmodule:  loading policy configuration from tmp/myzone2fix.tmp
myzone2fix.te":85:ERROR 'syntax error' at token 'allow' on line 3262:
allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
#============= httpd_t ==============
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/myzone2fix.mod] Error 1
[tim@localhost ~]$ 

(In reply to Tristan Santore from comment #14)
> OK, I have had a chance to test this now, and the policy is still very
> broken indeed. I also have the funny feeling the PAM maintainer has not
> actually fixed the rootok issue, as I saw no denials. I have not set
> semodule -DB though.
> 
> 
> Anyway, below is the policy I made that fixes the newest zoneminder policy,
> further details also below.
> 
> Miroslav, am I right to assume that zoneminder_anon_write, is that is can
> write files anywhere ? Not sure this is something anyone would want really,
> unless this is for people who mount and and do not restore contexts.
> 
> rpm -qa|grep selinux
> libselinux-utils-2.1.12-7.3.fc18.x86_64
> selinux-policy-devel-3.11.1-98.fc18.noarch
> selinux-policy-3.11.1-99.fc18.noarch
> selinux-policy-doc-3.11.1-98.fc18.noarch
> selinux-policy-targeted-3.11.1-99.fc18.noarch
> libselinux-python-2.1.12-7.3.fc18.x86_64
> libselinux-2.1.12-7.3.fc18.x86_64
> 
> getsebool -a|grep zone
> zoneminder_anon_write --> off
> zoneminder_run_sudo --> on
> 
> Please note with the .te I did it step by step, commented out now, then
> audit2why'd again to get it to tidy the stuff up a little. So, please excuse
> the mess.
> 
> After saving below file do:
> 
> make -f /usr/share/selinux/devel/Makefile
> semodule -i myzonem2fix.pp
> semodule -l |grep zone
> 
> Hope this helps.
> 
> Regards, Tristan
> 
> Save below as myzonem2fix.te:
> 
>        policy_module(myzonem2fix, 1.0.0)
> gen_require(` type zoneminder_t, httpd_t, httpd_zoneminder_script_t,
> zoneminder_var_lib_t,zoneminder_tmpfs_t,smtp_port_t,tmpfs_t,initrc_var_run_t,
> zoneminder_exec_t; ')
> require {
>                 class passwd { rootok };
>                 class passwd { passwd };
>                 type httpd_t, chkpwd_exec_t;
>         }
> #allow zoneminder_t self:passwd rootok;
> #allow zoneminder_t chkpwd_exec_t:file execute;
> #allow zoneminder_t chkpwd_exec_t:file { read open };
> #allow zoneminder_t chkpwd_exec_t:file execute_no_trans;
> #allow zoneminder_t self:passwd passwd;
> 
> 
> #============= httpd_t ==============
> #allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
> #allow httpd_t zoneminder_var_lib_t:dir { write search read remove_name open
> getattr add_name };
> #allow httpd_t zoneminder_var_lib_t:file { read getattr open };
> #allow httpd_t zoneminder_var_lib_t:sock_file { write create unlink };
> 
> #============= httpd_zoneminder_script_t ==============
> #allow httpd_zoneminder_script_t httpd_t:unix_dgram_socket sendto;
> #allow httpd_zoneminder_script_t tmpfs_t:dir search;
> #!!!! This avc is allowed in the current policy
> 
> #allow httpd_zoneminder_script_t zoneminder_tmpfs_t:file { read write
> getattr open };
> #allow httpd_zoneminder_script_t zoneminder_var_lib_t:file { read getattr
> open };
> 
> #============= zoneminder_t ==============
> #allow zoneminder_t self:netlink_selinux_socket create;
> 
> #!!!! This avc can be allowed using the boolean 'nis_enabled'
> 
> #allow zoneminder_t smtp_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
> 
> #allow zoneminder_t zoneminder_var_lib_t:lnk_file { read getattr };
> 
> #
> #
> #allow httpd_zoneminder_script_t tmpfs_t:dir search;
> #allow zoneminder_t self:netlink_selinux_socket bind;
> 
> #============= httpd_t ==============
> allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
> allow httpd_t zoneminder_exec_t:file getattr;
> allow httpd_t zoneminder_t:unix_stream_socket connectto;
> allow httpd_t zoneminder_tmpfs_t:file { read write getattr open };
> allow httpd_t zoneminder_var_lib_t:dir { write search read remove_name open
> getattr add_name };
> allow httpd_t zoneminder_var_lib_t:file { read write getattr open create };
> allow httpd_t zoneminder_var_lib_t:sock_file { write create unlink };
> 
> #============= httpd_zoneminder_script_t ==============
> allow httpd_zoneminder_script_t httpd_t:unix_dgram_socket sendto;
> allow httpd_zoneminder_script_t tmpfs_t:dir search;
> allow httpd_zoneminder_script_t zoneminder_tmpfs_t:file { read write getattr
> open };
> allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
> allow httpd_zoneminder_script_t zoneminder_var_lib_t:file { read getattr
> open create };
> 
> #============= zoneminder_t ==============
> allow zoneminder_t chkpwd_exec_t:file { read execute open execute_no_trans };
> allow zoneminder_t self:netlink_selinux_socket { bind create };
> allow zoneminder_t self:passwd passwd;
> allow zoneminder_t smtp_port_t:tcp_socket name_connect;
> allow zoneminder_t zoneminder_var_lib_t:lnk_file { read getattr }
> 
> ####################################################
> # missing httpd stuff below to make web interface work
> ######################################################
> #allow httpd_t initrc_var_run_t:file { read lock open };
> #allow httpd_t zoneminder_t:unix_stream_socket connectto;
> #allow httpd_t zoneminder_exec_t:file getattr;
> #allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir create;
> #allow httpd_t zoneminder_tmpfs_t:file { read write };
> #allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir rmdir;
> #allow httpd_zoneminder_script_t zoneminder_var_lib_t:file create;
> #allow httpd_t zoneminder_tmpfs_t:file open;
> #allow httpd_t zoneminder_tmpfs_t:file getattr;
> #allow httpd_t zoneminder_var_lib_t:file create;
> #allow httpd_t zoneminder_var_lib_t:file write;
> 
> 
> 
> #============= httpd_t ==============
> allow httpd_t httpd_zoneminder_script_t:unix_dgram_socket sendto;
> allow httpd_t initrc_var_run_t:file { read lock open };
> allow httpd_t zoneminder_exec_t:file getattr;
> allow httpd_t zoneminder_t:unix_stream_socket connectto;
> allow httpd_t zoneminder_tmpfs_t:file { read write getattr open };
> allow httpd_t zoneminder_var_lib_t:dir { write search read remove_name open
> getattr add_name };
> allow httpd_t zoneminder_var_lib_t:file { read write getattr open create };
> allow httpd_t zoneminder_var_lib_t:sock_file { write create unlink };
> 
> #============= httpd_zoneminder_script_t ==============
> allow httpd_zoneminder_script_t httpd_t:unix_dgram_socket sendto;
> allow httpd_zoneminder_script_t tmpfs_t:dir search;
> allow httpd_zoneminder_script_t zoneminder_tmpfs_t:file { read write getattr
> open };
> allow httpd_zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
> allow httpd_zoneminder_script_t zoneminder_var_lib_t:file { read getattr
> open create };
Comment 18 Fedora Update System 2013-08-14 22:53:25 EDT
selinux-policy-3.11.1-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Panagiotis Kalogiratos 2013-10-11 19:57:59 EDT
Zoneminder will still not start with SELinux in enforcing mode under F19 with selinux-policy-3.12.1-74.8.fc19. I don't know if this is a regression or patch never made it through to F19..
Comment 20 Daniel Walsh 2013-10-16 16:15:46 EDT
Could you attach the AVC's you are getting?
Comment 21 Panagiotis Kalogiratos 2013-10-16 23:30:17 EDT
Upon starting of the service I am getting:

Raw Audit Messages
type=AVC msg=audit(1381979919.142:217): avc:  denied  { create } for  pid=6150 comm="su" scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=netlink_selinux_socket


type=SYSCALL msg=audit(1381979919.142:217): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=80003 a2=7 a3=1 items=0 ppid=6139 pid=6150 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=su exe=/usr/bin/su subj=system_u:system_r:zoneminder_t:s0 key=(null)

If I make a module to allow this as sealert suggests the service starts showing this on "service zoneminder status":

Oct 17 06:24:58 edited.dns.com su[6281]: (to apache) root on none
Oct 17 06:24:58 edited.dns.com su[6298]: (to apache) root on none
Oct 17 06:24:58 edited.dns.com su[6306]: (to apache) root on none
Oct 17 06:24:59 edited.dns.com su[6313]: (to apache) root on none
Oct 17 06:25:02 edited.dns.com su[6354]: (to apache) root on none
Oct 17 06:25:02 edited.dns.com su[6361]: (to apache) root on none
Oct 17 06:25:02 edited.dns.com su[6373]: (to apache) root on none
Oct 17 06:25:02 edited.dns.com su[6384]: (to apache) root on none
Oct 17 06:25:02 edited.dns.com su[6394]: (to apache) root on none
Oct 17 06:25:02 edited.dns.com systemd[1]: Started Video securit...


Not sure if the above are ok but after opening the zoneminder url and trying to start zoneminder it also fails, throwing these:

type=AVC msg=audit(1381979554.827:190): avc:  denied  { connectto } for  pid=5887 comm="zmdc.pl" path="/var/lib/zoneminder/sock/zmdc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1381979554.827:190): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=1a8c780 a2=6e a3=7fffa900fd90 items=0 ppid=1426 pid=5887 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="zmdc.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979554.951:191): avc:  denied  { connectto } for  pid=5892 comm="zmdc.pl" path="/var/lib/zoneminder/sock/zmdc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1381979554.951:191): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=cc6780 a2=6e a3=7fffea2648b0 items=0 ppid=1426 pid=5892 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="zmdc.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979554.962:192): avc:  denied  { read } for  pid=5899 comm="uptime" name="utmp" dev="tmpfs" ino=10961 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1381979554.962:192): arch=c000003e syscall=2 success=no exit=-13 a0=7f38f1cdf9a4 a1=80000 a2=7f38f1cdf995 a3=7fffcc2f96e0 items=0 ppid=1426 pid=5899 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979554.962:193): avc:  denied  { read } for  pid=5899 comm="uptime" name="utmp" dev="tmpfs" ino=10961 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1381979554.962:193): arch=c000003e syscall=2 success=no exit=-13 a0=7f38f1cdf9a4 a1=80000 a2=7f38f1cdf995 a3=0 items=0 ppid=1426 pid=5899 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979558.949:194): avc:  denied  { connectto } for  pid=5936 comm="zmdc.pl" path="/var/lib/zoneminder/sock/zmdc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1381979558.949:194): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=1009780 a2=6e a3=7fff4e9bf230 items=0 ppid=1426 pid=5936 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="zmdc.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979560.642:195): avc:  denied  { connectto } for  pid=5947 comm="zmdc.pl" path="/var/lib/zoneminder/sock/zmdc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1381979560.642:195): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=19dd780 a2=6e a3=7fffd8470ab0 items=0 ppid=1426 pid=5947 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="zmdc.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979561.762:196): avc:  denied  { getattr } for  pid=5959 comm="sh" path="/usr/bin/zmpkg.pl" dev="sda1" ino=17173610 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zoneminder_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1381979561.762:196): arch=c000003e syscall=4 success=no exit=-13 a0=d41170 a1=7fff632501e0 a2=7fff632501e0 a3=7fff63250040 items=0 ppid=5958 pid=5959 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979561.762:197): avc:  denied  { getattr } for  pid=5959 comm="sh" path="/usr/bin/zmpkg.pl" dev="sda1" ino=17173610 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zoneminder_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1381979561.762:197): arch=c000003e syscall=4 success=no exit=-13 a0=d41170 a1=7fff632501c0 a2=7fff632501c0 a3=7fff63250040 items=0 ppid=5958 pid=5959 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979561.974:198): avc:  denied  { connectto } for  pid=5963 comm="zmdc.pl" path="/var/lib/zoneminder/sock/zmdc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1381979561.974:198): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=1ef9780 a2=6e a3=7fffe8e3ac70 items=0 ppid=5883 pid=5963 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="zmdc.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979562.100:199): avc:  denied  { connectto } for  pid=5972 comm="zmdc.pl" path="/var/lib/zoneminder/sock/zmdc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:zoneminder_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1381979562.100:199): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=2258780 a2=6e a3=7fff0a0ba310 items=0 ppid=5883 pid=5972 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="zmdc.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979562.112:200): avc:  denied  { read } for  pid=5983 comm="uptime" name="utmp" dev="tmpfs" ino=10961 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1381979562.112:200): arch=c000003e syscall=2 success=no exit=-13 a0=7f1eded619a4 a1=80000 a2=7f1eded61995 a3=7fff73aecab0 items=0 ppid=5883 pid=5983 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381979562.112:201): avc:  denied  { read } for  pid=5983 comm="uptime" name="utmp" dev="tmpfs" ino=10961 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1381979562.112:201): arch=c000003e syscall=2 success=no exit=-13 a0=7f1eded619a4 a1=80000 a2=7f1eded61995 a3=0 items=0 ppid=5883 pid=5983 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=system_u:system_r:httpd_t:s0 key=(null)
Comment 22 Daniel Walsh 2013-10-17 09:52:03 EDT
40845b20225bf12af4e42ca40aa65af53d49523f fixes the new avc's.

239dff670412c7fc7681536ad714024e6f9ffe88 fixes the zoneminder creating an SELinux socket.
Comment 23 Fedora Update System 2014-12-03 07:53:12 EST
selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.30.fc19
Comment 24 Fedora Update System 2014-12-04 01:27:07 EST
Package selinux-policy-3.12.1-74.30.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.30.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16276/selinux-policy-3.12.1-74.30.fc19
then log in and leave karma (feedback).
Comment 25 Fedora Update System 2014-12-19 13:29:13 EST
selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.