Policy for zoneminder

Dominick Grift domg472 at gmail.com
Wed Jun 10 08:27:54 UTC 2009 

Hello,

Are you testing this on Fedora? If so, i can help you create proper
policy for both daemon and webapp. All i need is a "rpm -ql" and someone
that can test my policy and send feedback.

I recently also wrote policy for a motion detection software called
motion which is available on rpmfusion. That policy is not perfected
because it needs testing in not so standard scenarios, but a basic
configuration works just fine.

http://82.197.205.60/~dgrift/stuff/modules/motion.te
http://82.197.205.60/~dgrift/stuff/modules/motion.if
http://82.197.205.60/~dgrift/stuff/modules/motion.fc


On Tue, 2009-06-09 at 20:23 -0500, Jason L Tibbitts III wrote:
> Zoneminder (http://www.zoneminder.com) is a really nice web-based
> surveillance application that's been packages for Fedora.  It runs as
> a combination of daemons (written in perl) and a php-based web
> interface and it should come as no surprise that it has issues with
> selinux.
> 
> The zoneminder documentation includes some information on policy at
> http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy,
> including a policy module which I'll include at the end of this
> message.  I haven't tested it yet; I'm currently more concerned about
> whether there's any path to getting some kind of reasonable support
> for zoneminder into the base policy.  I don't really know enough to
> say what form that it should take; if the suggested policy module is
> really sufficient, a simple boolean that allows httpd to access a few
> extra things might be good.  However, the daemons which currently seem
> to run as initrc_t also need to be confined, then things rapidly
> become complex beyond my limited understanding of selinux.
> 
> Here's the suggested policy:
> 
> module local_zoneminder 1.0; 
> 
> require { 
>                type httpd_t;
>                type initrc_var_run_t;
>                type initrc_t;
>                type v4l_device_t;
>                type file_t;
>               class unix_stream_socket { read connectto };
>               class file { read lock };
>               class shm { unix_read unix_write associate read write  getattr };
>               class chr_file getattr;
> }
> 
> #============= httpd_t ============== 
> allow httpd_t initrc_t:unix_stream_socket connectto;
> allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
> allow httpd_t initrc_var_run_t:file { read lock };
> allow httpd_t v4l_device_t:chr_file getattr;
> 
> 
>  - J<
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list