Policy for zoneminder
Dominick Grift
domg472 at gmail.com
Wed Jun 10 08:27:54 UTC 2009
Hello,
Are you testing this on Fedora? If so, i can help you create proper
policy for both daemon and webapp. All i need is a "rpm -ql" and someone
that can test my policy and send feedback.
I recently also wrote policy for a motion detection software called
motion which is available on rpmfusion. That policy is not perfected
because it needs testing in not so standard scenarios, but a basic
configuration works just fine.
http://82.197.205.60/~dgrift/stuff/modules/motion.te
http://82.197.205.60/~dgrift/stuff/modules/motion.if
http://82.197.205.60/~dgrift/stuff/modules/motion.fc
On Tue, 2009-06-09 at 20:23 -0500, Jason L Tibbitts III wrote:
> Zoneminder (http://www.zoneminder.com) is a really nice web-based
> surveillance application that's been packages for Fedora. It runs as
> a combination of daemons (written in perl) and a php-based web
> interface and it should come as no surprise that it has issues with
> selinux.
>
> The zoneminder documentation includes some information on policy at
> http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy,
> including a policy module which I'll include at the end of this
> message. I haven't tested it yet; I'm currently more concerned about
> whether there's any path to getting some kind of reasonable support
> for zoneminder into the base policy. I don't really know enough to
> say what form that it should take; if the suggested policy module is
> really sufficient, a simple boolean that allows httpd to access a few
> extra things might be good. However, the daemons which currently seem
> to run as initrc_t also need to be confined, then things rapidly
> become complex beyond my limited understanding of selinux.
>
> Here's the suggested policy:
>
> module local_zoneminder 1.0;
>
> require {
> type httpd_t;
> type initrc_var_run_t;
> type initrc_t;
> type v4l_device_t;
> type file_t;
> class unix_stream_socket { read connectto };
> class file { read lock };
> class shm { unix_read unix_write associate read write getattr };
> class chr_file getattr;
> }
>
> #============= httpd_t ==============
> allow httpd_t initrc_t:unix_stream_socket connectto;
> allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
> allow httpd_t initrc_var_run_t:file { read lock };
> allow httpd_t v4l_device_t:chr_file getattr;
>
>
> - J<
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list