Policy for zoneminder

Wed Jun 10 01:23:22 UTC 2009

Zoneminder (http://www.zoneminder.com) is a really nice web-based
surveillance application that's been packages for Fedora.  It runs as
a combination of daemons (written in perl) and a php-based web
interface and it should come as no surprise that it has issues with
selinux.

The zoneminder documentation includes some information on policy at
http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy,
including a policy module which I'll include at the end of this
message.  I haven't tested it yet; I'm currently more concerned about
whether there's any path to getting some kind of reasonable support
for zoneminder into the base policy.  I don't really know enough to
say what form that it should take; if the suggested policy module is
really sufficient, a simple boolean that allows httpd to access a few
extra things might be good.  However, the daemons which currently seem
to run as initrc_t also need to be confined, then things rapidly
become complex beyond my limited understanding of selinux.

Here's the suggested policy:

module local_zoneminder 1.0; 

require { 
               type httpd_t;
               type initrc_var_run_t;
               type initrc_t;
               type v4l_device_t;
               type file_t;
              class unix_stream_socket { read connectto };
              class file { read lock };
              class shm { unix_read unix_write associate read write  getattr };
              class chr_file getattr;
}

#============= httpd_t ============== 
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
allow httpd_t initrc_var_run_t:file { read lock };
allow httpd_t v4l_device_t:chr_file getattr;

 - J<