On 2/27/19 1:53 PM, mark wrote:
On 02/27/19 04:10, Lukas Vrabec wrote:
On 2/26/19 9:55 PM, mark wrote:
Subject: Re: Policy issue: C7 and motion Date: Tue, 26 Feb 2019 09:31:18 +0100 From: Lukas Vrabec lvrabec@redhat.com Organization: Red Hat, Inc. To: selinux@lists.fedoraproject.org
On 2/25/19 7:20 PM, mark wrote:
Not sure who's package let an error slip in, but I don't believe I've had this issue before: SELinux is preventing /usr/bin/motion from map access on the chr_file /dev/video1
Yes, that should be allowed by default.
Yes, it should be allowed by default, but do you have raw AVCs related to this issue?
type=AVC msg=audit(1551118810.099:136938): avc: denied { map } for pid=5076 comm="motion" path="/dev/video1" dev="devtmpfs" ino=27287 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=1
Does that help?
Yes it helped. What version of Fedora are you using? I fixed this issue here: https://github.com/fedora-selinux/selinux-policy-contrib/commit/0b295220e86c...
It should be fixed in Fedora28+
CentOS 7, not fedora.
Ok, that make sense, could you please create bugzilla? But best step would be to allow it on your system by using custom local module.
Thanks, Lukas.
mark