Search My Blog

Thursday, September 9, 2010

SELinux is preventing nph-zms "create" access on zms-959258s.sock.


Summary:

SELinux is preventing nph-zms "create" access on zms-959258s.sock.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by nph-zms. It is not expected that this access
is required by nph-zms and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                zms-959258s.sock [ sock_file ]
Source                        nph-zms
Source Path                   /usr/libexec/zoneminder/cgi-bin/nph-zms
Port                          <Unknown>
Host                          fedora13-gatewaygt5408.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     fedora13-gatewaygt5408.localdomain
Platform                      Linux fedora13-gatewaygt5408.localdomain
                              2.6.33.5-124.fc13.i686 #1 SMP Fri Jun 11 09:48:40
                              UTC 2010 i686 i686
Alert Count                   11
First Seen                    Thu 26 Aug 2010 04:44:35 PM CDT
Last Seen                     Fri 27 Aug 2010 12:12:37 AM CDT
Local ID                      3c25c472-e94f-4176-b09a-53481064d23f
Line Numbers                  

Raw Audit Messages            

node=fedora13-gatewaygt5408.localdomain type=AVC msg=audit(1282885957.367:51968): avc:  denied  { create } for  pid=10063 comm="nph-zms" name="zms-959258s.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

I Searched for "SELinux is preventing nph-zms create access on zms" on Google and found a Bur Report on it...

Bug 611016 - SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.
:
: SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.
Status: NEW

(edit)

Product: Fedora
selinux-policy (Show Fedora/selinux-policy bugs)
: 13
: i386 Linux

: low : medium
: ---
Assigned To:
:

:
: setroubleshoot_trace_hash:15359d0620a...
:

:
:
  Show dependency tree

Reported: 2010-07-03 01:59 EDT by
Modified: 2010-07-05 12:37 EDT (History)

2 users (edit)




See Also:

(edit)
None Set
 
 
  ()
 
 
Fixed In Version:
Technical Notes:
Verified:
Clone Of:
Environment:
Last Closed:



Attachments
Audit log of zoneminder (and possibly other) SELinux events (9.28 KB, application/x-gzip)
2010-07-05 12:37 EDT,
no flags Details


External Bugs


[reply] [-] Description 2010-07-03 01:59:18 EDT
Summary:  SELinux is preventing /usr/bin/perl "write" access on zmdc.sock.  This happens in F13 after /etc/php.ini is modified to set short_open_tag = On so that zoneminder's /usr/share/zoneminder/www/includes/functions.php file does not report a php parse error.  The package does not work otherwise.  Detailed Description:  SELinux denied access requested by zmdc.pl. It is not expected that this access is required by zmdc.pl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.  Allowing Access:  You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.  Additional Information:  Source Context                unconfined_u:system_r:httpd_t:s0 Target Context                unconfined_u:object_r:tmp_t:s0 Target Objects                zmdc.sock [ sock_file ] Source                        zmdc.pl Source Path                   /usr/bin/perl Port                          <Unknown> Host                          (removed) Source RPM Packages           perl-5.10.1-112.fc13 Target RPM Packages            Policy RPM                    selinux-policy-3.7.19-28.fc13 Selinux Enabled               True Policy Type                   targeted Enforcing Mode                Enforcing Plugin Name                   catchall Host Name                     (removed) Platform                      Linux (removed) 2.6.33.5-124.fc13.i686 #1 SMP                               Fri Jun 11 09:48:40 UTC 2010 i686 i686 Alert Count                   2 First Seen                    Fri 02 Jul 2010 10:48:15 PM PDT Last Seen                     Fri 02 Jul 2010 10:53:15 PM PDT Local ID                      af890b81-278b-4e76-83d8-f847169d3211 Line Numbers                    Raw Audit Messages              node=(removed) type=AVC msg=audit(1278136395.689:27417): avc:  denied  { write } for  pid=3118 comm="zmdc.pl" name="zmdc.sock" dev=dm-1 ino=82666 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file  node=(removed) type=SYSCALL msg=audit(1278136395.689:27417): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff46550 a2=da9d6c a3=93bf008 items=0 ppid=2920 pid=3118 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="zmdc.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_t:s0 key=(null)    Hash String generated from  catchall,zmdc.pl,httpd_t,tmp_t,sock_file,write audit2allow suggests:  #============= httpd_t ============== allow httpd_t tmp_t:sock_file write;
[reply] [-] Comment 1 2010-07-04 17:34:58 EDT
Bart,  all these your bugs are caused by zoneminder, which is running as initrc_t domain. It means zoneminder needs policy.  You can do the following steps as workaround  1. chcon -t httpd_sys_script_exec_t /usr/libexec/zoneminder/cgi-bin/*  2. setenforce 0 3. run zoneminder 4. setenforce 1 5. add local policy using  grep avc /var/log/audit/audit.log | audit2allow -M myzoneminder semodule -i myzoneminder.pp  Will fix for now and I will write zoneminder policy. Also please send me your compressed /var/log/audit/audit.log.  Read more...  https://bugzilla.redhat.com/show_bug.cgi?id=611016   Thanks.
If your SELinux is set to Permissive Mode, then it wont be denied, but will keep causing SELinux Alerts to Popup unless you tell it to stop anoying you...

Don

No comments: