SELinux is preventing nph-zms "create" access on zms-959258s.sock.

Summary:

SELinux is preventing nph-zms "create" access on zms-959258s.sock.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by nph-zms. It is not expected that this access
is required by nph-zms and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                zms-959258s.sock [ sock_file ]
Source                        nph-zms
Source Path                   /usr/libexec/zoneminder/cgi-bin/nph-zms
Port                          <Unknown>
Host                          fedora13-gatewaygt5408.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     fedora13-gatewaygt5408.localdomain
Platform                      Linux fedora13-gatewaygt5408.localdomain
                              2.6.33.5-124.fc13.i686 #1 SMP Fri Jun 11 09:48:40
                              UTC 2010 i686 i686
Alert Count                   11
First Seen                    Thu 26 Aug 2010 04:44:35 PM CDT
Last Seen                     Fri 27 Aug 2010 12:12:37 AM CDT
Local ID                      3c25c472-e94f-4176-b09a-53481064d23f
Line Numbers                  

Raw Audit Messages            

node=fedora13-gatewaygt5408.localdomain type=AVC msg=audit(1282885957.367:51968): avc:  denied  { create } for  pid=10063 comm="nph-zms" name="zms-959258s.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

I Searched for "SELinux is preventing nph-zms create access on zms" on Google and found a Bur Report on it...

Bug 611016 - SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.

Aliases:
Summary:	SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.

Status: NEW Aliases: None (edit) Product: Fedora Component: selinux-policy (Show Fedora/selinux-policy bugs) Version: 13 Platform: i386 Linux Priority: low Severity: medium Target Milestone: --- Assigned To: Miroslav Grepl QA Contact: Fedora Extras Quality Assurance URL: Whiteboard: setroubleshoot_trace_hash:15359d0620a... Keywords: Depends on: Blocks:   Show dependency tree Reported: 2010-07-03 01:59 EDT by Bart Kus Modified: 2010-07-05 12:37 EDT (History) CC List: Add me to CC list 2 users (edit) Add dwalsh@redhat.com mgrepl@redhat.com Remove selected CCs See Also: Flags: (edit) None Set   fedora‑review ?   fedora_requires_release_note ? + -   needinfo ? + - ()   fedora‑cvs		Fixed In Version: Technical Notes: Verified: Clone Of: Environment: Last Closed:

Attachments
Audit log of zoneminder (and possibly other) SELinux events (9.28 KB, application/x-gzip) 2010-07-05 12:37 EDT, Bart Kus	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Bugs

Add External Bug: Location -- Do not add -- Adiscon ALSA Project Apache Software Foundation Avahi Bug Tracker CentOS CPAN CUPS Bugs and Features Debian BTS Eclipse Project EXO WCM JIRA EXO WCM Support FedoraHosted FreeDesktop.org FreeDesktop.org (Old) Gentoo Ghostscript GNOME Desktop GNU Compiler Collection IBM Linux Technology Center Icedtea Bugzilla Intel Wireless Bugzilla JBoss Issue Tracker JPackage KDE Software Compilation Linux Kernel Moblin Bugzilla MotifZone Mozilla Foundation NetBeans Project Netfilter Network Time Protocol Novell OLPC OpenOffice.org OpenSSH Project PADL Software PEAR PHP Bug Tracker PulseAudio Bug Tracker Qt Bug Tracker RapidSVN Red Hat Knowledge Base (Old-format) Red Hat Knowledge Base Red Hat, Inc. Samba Project SDL Simple Directmedia Layer Sourceware SpamAssassin Sun Bug Database Translation Project Ubuntu Launchpad WebKit Project Wikimedia XenSource XFce Ximian Software (Novell) Bug ID

---

[reply] [-] Description Bart Kus 2010-07-03 01:59:18 EDT

Summary:  SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.  This happens in F13 after /etc/php.ini is modified to set short_open_tag = On so that zoneminder's /usr/share/zoneminder/www/includes/functions.php file does not report a php parse error.  The package does not work otherwise.  Detailed Description:  SELinux denied access requested by zmdc.pl. It is not expected that this access is required by zmdc.pl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.  Allowing Access:  You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.  Additional Information:  Source Context                unconfined_u:system_r:httpd_t:s0 Target Context                unconfined_u:object_r:tmp_t:s0 Target Objects                zmdc.sock [ sock_file ] Source                        zmdc.pl Source Path                   /usr/bin/perl Port                          <Unknown> Host                          (removed) Source RPM Packages           perl-5.10.1-112.fc13 Target RPM Packages            Policy RPM                    selinux-policy-3.7.19-28.fc13 Selinux Enabled               True Policy Type                   targeted Enforcing Mode                Enforcing Plugin Name                   catchall Host Name                     (removed) Platform                      Linux (removed) 2.6.33.5-124.fc13.i686 #1 SMP                               Fri Jun 11 09:48:40 UTC 2010 i686 i686 Alert Count                   2 First Seen                    Fri 02 Jul 2010 10:48:15 PM PDT Last Seen                     Fri 02 Jul 2010 10:53:15 PM PDT Local ID                      af890b81-278b-4e76-83d8-f847169d3211 Line Numbers                    Raw Audit Messages              node=(removed) type=AVC msg=audit(1278136395.689:27417): avc:  denied  { write } for  pid=3118 comm="zmdc.pl" name="zmdc.sock" dev=dm-1 ino=82666 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file  node=(removed) type=SYSCALL msg=audit(1278136395.689:27417): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff46550 a2=da9d6c a3=93bf008 items=0 ppid=2920 pid=3118 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="zmdc.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_t:s0 key=(null)    Hash String generated from  catchall,zmdc.pl,httpd_t,tmp_t,sock_file,write audit2allow suggests:  #============= httpd_t ============== allow httpd_t tmp_t:sock_file write;

[reply] [-] Comment 1 Miroslav Grepl 2010-07-04 17:34:58 EDT

Bart,  all these your bugs are caused by zoneminder, which is running as initrc_t domain. It means zoneminder needs policy.  You can do the following steps as workaround  1. chcon -t httpd_sys_script_exec_t /usr/libexec/zoneminder/cgi-bin/*  2. setenforce 0 3. run zoneminder 4. setenforce 1 5. add local policy using  grep avc /var/log/audit/audit.log | audit2allow -M myzoneminder semodule -i myzoneminder.pp  Will fix for now and I will write zoneminder policy. Also please send me your compressed /var/log/audit/audit.log.  Read more...  https://bugzilla.redhat.com/show_bug.cgi?id=611016   Thanks.

If your SELinux is set to Permissive Mode, then it wont be denied, but will keep causing SELinux Alerts to Popup unless you tell it to stop anoying you...

Don