|Main Archive Page > Month Archives > fedora-selinux archives|
On Wed, 2009-06-10 at 14:10 -0500, Jason L Tibbitts III wrote:
> >>>>> "DG" == Dominick Grift <email@example.com> writes:
> DG> Are you testing this on Fedora?
> I comaintain it in Fedora. My current zoneminder server runs F11.
> DG> All i need is a "rpm -ql" and someone that can test my policy and
> DG> send feedback.
> I don't fully understand the interaction between the daemon portion
> and the webapp portion (which as I understand it cannot be in a
> separate domain from httpd) but I'm not really sure it's as simple as
> looking at the file list. Still, 'repoquery -l zoneminder' will show
> you that.
> - J<
Yes as far as the webapp is concerned it will have to run as httpd_t if its PHP.
However the daemons can be confined.
I downloaded the package and found it has a lot of executable files. I was looking into the zoneminder init script and noticed a few of those executables as run by initrc_t (zmu zmpkg zmupdate)
I have created some declarations for those executables and made their domains permissive. I also defined file contexts for the executable files, pid , log and config file.
The source policy is here: http://188.8.131.52/~dgrift/stuff/modules/zoneminder.te http://184.108.40.206/~dgrift/stuff/modules/zoneminder.if http://220.127.116.11/~dgrift/stuff/modules/zoneminder.fc http://18.104.22.168/~dgrift/stuff/modules/zoneminder.pp
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i zoneminder.pp
sudo restorecon -v
-R /etc/rc.d/init.d/zoneminder /etc/zoneminder /var/log/zoneminder /usr/bin/zmpkg /usr/bin/zmu /usr/bin/zmupdate
(restore each location in zoneminder.fc)
Then run i, test the app, and collect all the AVC denials. Please send those AVC denials to me so that i can extend and perfect the policy.
Please mind that the webapp will not work yet and probably many other things with that.
I have only made some declarations that i thought should be made to get started. (no policy yet)
Thanks -- fedora-selinux-list mailing list firstname.lastname@example.org https://www.redhat.com/mailman/listinfo/fedora-selinux-list