Policy for zoneminder
Jason L Tibbitts III
tibbs at math.uh.edu
Wed Jun 10 01:23:22 UTC 2009
Zoneminder (http://www.zoneminder.com) is a really nice web-based
surveillance application that's been packages for Fedora. It runs as
a combination of daemons (written in perl) and a php-based web
interface and it should come as no surprise that it has issues with
selinux.
The zoneminder documentation includes some information on policy at
http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy,
including a policy module which I'll include at the end of this
message. I haven't tested it yet; I'm currently more concerned about
whether there's any path to getting some kind of reasonable support
for zoneminder into the base policy. I don't really know enough to
say what form that it should take; if the suggested policy module is
really sufficient, a simple boolean that allows httpd to access a few
extra things might be good. However, the daemons which currently seem
to run as initrc_t also need to be confined, then things rapidly
become complex beyond my limited understanding of selinux.
Here's the suggested policy:
module local_zoneminder 1.0;
require {
type httpd_t;
type initrc_var_run_t;
type initrc_t;
type v4l_device_t;
type file_t;
class unix_stream_socket { read connectto };
class file { read lock };
class shm { unix_read unix_write associate read write getattr };
class chr_file getattr;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
allow httpd_t initrc_var_run_t:file { read lock };
allow httpd_t v4l_device_t:chr_file getattr;
- J<
More information about the selinux
mailing list