fedora-selinux June 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Policy for zoneminder

Re: Policy for zoneminder

From: Dominick Grift <domg472_at_nospam>
Date: Wed Jun 10 2009 - 20:28:45 GMT
To: Jason L Tibbitts III <tibbs@math.uh.edu>


On Wed, 2009-06-10 at 14:10 -0500, Jason L Tibbitts III wrote:
> >>>>> "DG" == Dominick Grift <domg472@gmail.com> writes:
>
> DG> Are you testing this on Fedora?
>
> I comaintain it in Fedora. My current zoneminder server runs F11.
>
> DG> All i need is a "rpm -ql" and someone that can test my policy and
> DG> send feedback.
>
> I don't fully understand the interaction between the daemon portion
> and the webapp portion (which as I understand it cannot be in a
> separate domain from httpd) but I'm not really sure it's as simple as
> looking at the file list. Still, 'repoquery -l zoneminder' will show
> you that.
>
> - J<

Yes as far as the webapp is concerned it will have to run as httpd_t if its PHP.

However the daemons can be confined.

I downloaded the package and found it has a lot of executable files. I was looking into the zoneminder init script and noticed a few of those executables as run by initrc_t (zmu zmpkg zmupdate)

I have created some declarations for those executables and made their domains permissive. I also defined file contexts for the executable files, pid , log and config file.

The source policy is here: http://82.197.205.60/~dgrift/stuff/modules/zoneminder.te http://82.197.205.60/~dgrift/stuff/modules/zoneminder.if http://82.197.205.60/~dgrift/stuff/modules/zoneminder.fc http://82.197.205.60/~dgrift/stuff/modules/zoneminder.pp

make -f /usr/share/selinux/devel/Makefile sudo semodule -i zoneminder.pp
sudo restorecon -v
-R /etc/rc.d/init.d/zoneminder /etc/zoneminder /var/log/zoneminder /usr/bin/zmpkg /usr/bin/zmu /usr/bin/zmupdate

(restore each location in zoneminder.fc)

Then run i, test the app, and collect all the AVC denials. Please send those AVC denials to me so that i can extend and perfect the policy.

Please mind that the webapp will not work yet and probably many other things with that.

I have only made some declarations that i thought should be made to get started. (no policy yet)

Thanks -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list