Policy for zoneminder

[Dominick Grift]

On Wed, 2009-06-10 at 14:10 -0500, Jason L Tibbitts III wrote:
> >>>>> "DG" == Dominick Grift <domg472 at gmail.com> writes:
> 
> DG> Are you testing this on Fedora?
> 
> I comaintain it in Fedora.  My current zoneminder server runs F11.
> 
> DG> All i need is a "rpm -ql" and someone that can test my policy and
> DG> send feedback.
> 
> I don't fully understand the interaction between the daemon portion
> and the webapp portion (which as I understand it cannot be in a
> separate domain from httpd) but I'm not really sure it's as simple as
> looking at the file list.  Still, 'repoquery -l zoneminder' will show
> you that.
> 
>  - J<

Yes as far as the webapp is concerned it will have to run as httpd_t if
its PHP.

However the daemons can be confined.

I downloaded the package and found it has a lot of executable files.
I was looking into the zoneminder init script and noticed a few of those
executables as run by initrc_t (zmu zmpkg zmupdate)

I have created some declarations for those executables and made their
domains permissive. I also defined file contexts for the executable
files, pid , log and config file.

The source policy is here:
http://82.197.205.60/~dgrift/stuff/modules/zoneminder.te
http://82.197.205.60/~dgrift/stuff/modules/zoneminder.if
http://82.197.205.60/~dgrift/stuff/modules/zoneminder.fc
http://82.197.205.60/~dgrift/stuff/modules/zoneminder.pp

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i zoneminder.pp
sudo restorecon -v
-R /etc/rc.d/init.d/zoneminder /etc/zoneminder /var/log/zoneminder /usr/bin/zmpkg /usr/bin/zmu /usr/bin/zmupdate

(restore each location in zoneminder.fc)

Then run i, test the app, and collect all the AVC denials.
Please send those AVC denials to me so that i can extend and perfect the
policy.

Please mind that the webapp will not work yet and probably many other
things with that. 

I have only made some declarations that i thought should be made to get
started. (no policy yet)

Thanks