Zoneminder RPM & SRPMS for Red Hat & CentOS 6

[echu2013]

hi echu2013,
Thanks for the feedback.
I've read through a few references to this issue, but the strange thing is that I can't reproduce it on my 64bit CentOS production server nor on my development virtual machine. zmfilter appears to be working fine and there are no zmfilter errors in any of the log files.

What version of perl is on your system?
Are you using the version from the base repo?

Hi! Sorry for the huge delay in my answer but i was waiting for an email telling me there was a reply in this thread..
haha

well, answering your question yes i am using perl from centos base repo, here is my output if helps:

perl -v

This is perl, v5.10.1 (*) built for x86_64-linux-thread-multi

Copyright 1987-2009, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at ***, the Perl Home Page.

Regards

[knight-of-ni]

*BUMP*

Zoneminder 1.26.5 RPM's are now available!

[duli]

Hello:

Just installed zoneminder in CentOS 6.5 following this topic instructions and everything went just fine.

The service can be started in the console and no error messages are displayed.

When I open the web interface and click "stopped" in order to start, I get the following error msgs in the logs:

2013-12-25 14:42:56.576560 zmpkg 12065 ERR Unable to run "/usr/bin/zmdc.pl startup", output is "Starting server" zmpkg.pl
2013-12-25 14:42:56.557590 zmdc 12074 FAT Can't connect: Permission denied zmdc.pl
2013-12-25 14:42:48.645770 zmdc 12076 FAT Can't bind: Address already in use zmdc.pl

Any ideas?

Thanks a lot.

[duli]

Hello:

Just installed zoneminder in CentOS 6.5 following this topic instructions and everything went just fine.

The service can be started in the console and no error messages are displayed.

When I open the web interface and click "stopped" in order to start, I get the following error msgs in the logs:

2013-12-25 14:42:56.576560 zmpkg 12065 ERR Unable to run "/usr/bin/zmdc.pl startup", output is "Starting server" zmpkg.pl
2013-12-25 14:42:56.557590 zmdc 12074 FAT Can't connect: Permission denied zmdc.pl
2013-12-25 14:42:48.645770 zmdc 12076 FAT Can't bind: Address already in use zmdc.pl

Any ideas?

Thanks a lot.

Just found out. Disabling SELINUX has solved it.

[knight-of-ni]

Just found out. Disabling SELINUX has solved it.

From another thread, you stated that that you are running Zoneminder 1.25. Try upgrading to the latest 1.26.5 RPM at the beginning of this thread. You should not experience any selinux or zmfilter issues with these.

[duli]

Just found out. Disabling SELINUX has solved it.

From another thread, you stated that that you are running Zoneminder 1.25. Try upgrading to the latest 1.26.5 RPM at the beginning of this thread. You should not experience any selinux or zmfilter issues with these.

No, I'm sorry. If I stated that, I've mistyped it. I'm running the latest 1.26.5, the one kindly provided in this thread via rpm package.

Code: Select all

ZoneMinder Console - Running - v1.26.5

[knight-of-ni]

* BUMP *
Special bugfix release of perl-sys-mmap has been added under Prerequisites. This fixes an issue with zmtrigger and the x10 module.

[oneru]

Just installed zoneminder in CentOS 6.5 following this topic instructions and everything went just fine.

The service can be started in the console and no error messages are displayed.

When I open the web interface and click "stopped" in order to start, I get the following error msgs in the logs:

2013-12-25 14:42:56.576560 zmpkg 12065 ERR Unable to run "/usr/bin/zmdc.pl startup", output is "Starting server" zmpkg.pl
2013-12-25 14:42:56.557590 zmdc 12074 FAT Can't connect: Permission denied zmdc.pl
2013-12-25 14:42:48.645770 zmdc 12076 FAT Can't bind: Address already in use zmdc.pl

Just did a zoneminder 1.26.5 install on Centos6, and had the exact same issue. Web interface reports the service stopped even though "service zoneminder status" shows running. Disabling selinux does allow the web interface to connect correctly.

I'll attempt to sort the selinux issues and report back here if I discover anything helpful.

[knight-of-ni]

Please provide the relevant AVC messages from your system log files.

Instructions that describe the process are here:
http://wiki.centos.org/HowTos/SELinux#h ... 191c257c01

Thanks.

[oneru]

Edit: Here is the link to the full logs:
pastebin 4NtFy31D
pastebin jX3BR1tf

Leaving out a bunch of the repeated messages, but here are the relevant.

When restarting the service and attempting to use the web interface, I see these lines:

Code: Select all

type=AVC msg=audit(1393023280.624:1465): avc:  denied  { write } for  pid=5174 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1393023280.624:1465): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=23f8720 a2=6e a3=7fff113ee720 items=0 ppid=1368 pid=5174 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="zmdc.pl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1393023280.780:1466): avc:  denied  { write } for  pid=5176 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file

When trying to restart the service from the web interface, I get these:

Code: Select all

type=AVC msg=audit(1393023419.897:1467): avc:  denied  { write } for  pid=5189 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1393023422.309:1468): avc:  denied  { write } for  pid=5191 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1393023423.789:1469): avc:  denied  { write } for  pid=5198 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1393023423.960:1470): avc:  denied  { write } for  pid=5203 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1393023423.965:1471): avc:  denied  { write } for  pid=5203 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1393023424.965:1472): avc:  denied  { write } for  pid=5203 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1393023425.034:1473): avc:  denied  { search } for  pid=5208 comm="killall" name="1335" dev=proc ino=12545 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=dir
type=AVC msg=audit(1393023425.034:1474): avc:  denied  { search } for  pid=5208 comm="killall" name="1344" dev=proc ino=12547 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=dir
type=AVC msg=audit(1393023425.035:1475): avc:  denied  { search } for  pid=5208 comm="killall" name="4616" dev=proc ino=70379 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=dir
type=AVC msg=audit(1393023425.035:1476): avc:  denied  { search } for  pid=5208 comm="killall" name="5107" dev=proc ino=72674 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=dir
type=AVC msg=audit(1393023425.035:1477): avc:  denied  { search } for  pid=5208 comm="killall" name="5133" dev=proc ino=73194 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=dir
. . . .
type=AVC msg=audit(1393023426.154:1653): avc:  denied  { search } for  pid=5227 comm="killall" name="5167" dev=proc ino=73053 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=dir
type=AVC msg=audit(1393023426.155:1654): avc:  denied  { unlink } for  pid=5205 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1393023426.965:1655): avc:  denied  { write } for  pid=5203 comm="zmdc.pl" name="zmdc.sock" dev=dm-0 ino=2622903 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file

Yet another complaint:

Code: Select all

type=AVC msg=audit(1393024525.799:1684): avc:  denied  { create } for  pid=1371 comm="httpd" name="zms-298109w.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file

OK, after more fighting with SE Linux than I ever wanted, here is the final audit2allow file:

Code: Select all

module zoneminder 1.0;

require {
        type afs_ka_port_t;
        type netsupport_port_t;
        type port_t;
        type presence_port_t;
        type postfix_pickup_t;
        type ionixnetmon_port_t;
        type glance_port_t;
        type syslogd_port_t;
        type mmcc_port_t;
        type postfix_master_t;
        type commplex_port_t;
        type httpd_t;
        type dcc_port_t;
        type sip_port_t;
        type amqp_port_t;
        type condor_port_t;
        type afs_fs_port_t;
        type nodejs_debug_port_t;
        type websm_port_t;
        type afs_pt_port_t;
        type postfix_qmgr_t;
        type git_port_t;
        type ipp_port_t;
        type aol_port_t;
        class udp_socket name_bind;
        class file { getattr read open };
}


#============= httpd_t ==============
allow httpd_t afs_fs_port_t:udp_socket name_bind;
allow httpd_t afs_ka_port_t:udp_socket name_bind;
allow httpd_t afs_pt_port_t:udp_socket name_bind;
allow httpd_t amqp_port_t:udp_socket name_bind;
allow httpd_t aol_port_t:udp_socket name_bind;
allow httpd_t commplex_port_t:udp_socket name_bind;
allow httpd_t condor_port_t:udp_socket name_bind;
allow httpd_t dcc_port_t:udp_socket name_bind;
allow httpd_t git_port_t:udp_socket name_bind;
allow httpd_t glance_port_t:udp_socket name_bind;
allow httpd_t ionixnetmon_port_t:udp_socket name_bind;

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow httpd_t ipp_port_t:udp_socket name_bind;
allow httpd_t mmcc_port_t:udp_socket name_bind;
allow httpd_t netsupport_port_t:udp_socket name_bind;
allow httpd_t nodejs_debug_port_t:udp_socket name_bind;

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_verify_dns, allow_ypbind
allow httpd_t port_t:udp_socket name_bind;

#!!!! This avc is allowed in the current policy
allow httpd_t postfix_master_t:file { read getattr open };

#!!!! This avc is allowed in the current policy
allow httpd_t postfix_pickup_t:file { read getattr open };

#!!!! This avc is allowed in the current policy
allow httpd_t postfix_qmgr_t:file { read getattr open };
allow httpd_t presence_port_t:udp_socket name_bind;
allow httpd_t sip_port_t:udp_socket name_bind;

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow httpd_t syslogd_port_t:udp_socket name_bind;
allow httpd_t websm_port_t:udp_socket name_bind;

[oneru]

Naturally, there was one thing missing. Recording gave me yet another error:

Code: Select all

type=AVC msg=audit(1393040778.058:15135): avc:  denied  { create } for  pid=7851 comm="zma" name=".4" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=lnk_file

Final policy file:

Code: Select all

module zoneminder 1.1;

require {
        type afs_ka_port_t;
        type netsupport_port_t;
        type port_t;
        type presence_port_t;
        type postfix_pickup_t;
        type httpd_t;
        type var_lib_t;
        type ionixnetmon_port_t;
        type glance_port_t;
        type mmcc_port_t;
        type postfix_master_t;
        type commplex_port_t;
        type syslogd_port_t;
        type dcc_port_t;
        type sip_port_t;
        type amqp_port_t;
        type condor_port_t;
        type afs_fs_port_t;
        type nodejs_debug_port_t;
        type httpd_var_lib_t;
        type websm_port_t;
        type afs_pt_port_t;
        type postfix_qmgr_t;
        type git_port_t;
        type ipp_port_t;
        type aol_port_t;
        class sock_file { write create unlink };
        class lnk_file create;
        class dir search;
        class udp_socket name_bind;
        class file { getattr read open };
}
#============= httpd_t ==============

allow httpd_t afs_fs_port_t:udp_socket name_bind;
allow httpd_t afs_ka_port_t:udp_socket name_bind;
allow httpd_t afs_pt_port_t:udp_socket name_bind;
allow httpd_t amqp_port_t:udp_socket name_bind;
allow httpd_t aol_port_t:udp_socket name_bind;
allow httpd_t commplex_port_t:udp_socket name_bind;
allow httpd_t condor_port_t:udp_socket name_bind;
allow httpd_t dcc_port_t:udp_socket name_bind;
allow httpd_t git_port_t:udp_socket name_bind;
allow httpd_t glance_port_t:udp_socket name_bind;
allow httpd_t httpd_var_lib_t:lnk_file create;
allow httpd_t ionixnetmon_port_t:udp_socket name_bind;
allow httpd_t ipp_port_t:udp_socket name_bind;
allow httpd_t mmcc_port_t:udp_socket name_bind;
allow httpd_t netsupport_port_t:udp_socket name_bind;
allow httpd_t nodejs_debug_port_t:udp_socket name_bind;
allow httpd_t port_t:udp_socket name_bind;
allow httpd_t postfix_master_t:dir search;
allow httpd_t postfix_master_t:file { read getattr open };
allow httpd_t postfix_pickup_t:dir search;
allow httpd_t postfix_pickup_t:file { read getattr open };
allow httpd_t postfix_qmgr_t:dir search;
allow httpd_t postfix_qmgr_t:file { read getattr open };
allow httpd_t presence_port_t:udp_socket name_bind;

[knight-of-ni]

Excellent. I will integrate that into the existing local security policy and have it ready for the 1.27 release:
https://github.com/ZoneMinder/ZoneMinde ... eminder.te

[knight-of-ni]

* BUMP *
ZoneMinder 1.27 Release Candidate RPMs are available for download now.
The repository configuration has changed so it is very important for existing users to follow the new instructions.

[BiloxiGeek]

* BUMP *
ZoneMinder 1.27 Release Candidate RPMs are available for download now.
The repository configuration has changed so it is very important for existing users to follow the new instructions.

Gonna try to get the 1.27 installed today or tomorrow after work. I really should do a fresh clean install first though. I've done enough jiggery-pokery on the system that it most likely has a good amount of kruft hanging around.

One question: I use predominantly Scientific Linux at work so I've been using it at home as well just for consistency. It also helps with updates for my systems since a lot of packages end up in squid, so they don't get downloaded for all my systems, just the first one. I can't think of any reason that using your CentOS instructions should have any problems on an SL 6.5 system. Can you?

[knight-of-ni]

One question: I use predominantly Scientific Linux at work so I've been using it at home as well just for consistency. It also helps with updates for my systems since a lot of packages end up in squid, so they don't get downloaded for all my systems, just the first one. I can't think of any reason that using your CentOS instructions should have any problems on an SL 6.5 system. Can you?

If SL 6.5 maintains a binary equivalence to RedHat like CentOS does then I would not expect any problems. On the other hand, I've never used SL 6.5.