Zoneminder and Selinux and the Infinite Story of Doom

Tristan Santore tristan.santore at internexusconnect.net
Tue May 21 13:47:43 UTC 2013 

Dear All,

For the last few days Dominick and I have been trying to write a policy 
for Zoneminder, as the current policy does not seem to be working.

I will append what we gathered up so far below, however before I do, 
there seems to be an inherent problem with apache and sudo/su/pam, which 
seems to work in permissive mode, but as soon as I enable enforcing, 
b00m, I get these.

May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify 
password for [apache]
May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >= 
1000" not met by user "apache"
May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify 
password for [apache]
May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >= 
1000" not met by user "apache"

In permissive mode all is fine:

May 21 14:32:03 hq su: pam_unix(su:session): session opened for user 
apache by (uid=0)
May 21 14:32:03 hq su: pam_unix(su:session): session closed for user apache
May 21 14:32:03 hq su: pam_unix(su:session): session opened for user 
apache by (uid=0)
May 21 14:32:03 hq su: pam_unix(su:session): session closed for user apache
May 21 14:32:03 hq su: pam_unix(su:session): session opened for user 
apache by (uid=0)

type=USER_CMD msg=audit(1369143877.597:513): pid=2196 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0 
msg='cwd="/usr/share/zoneminder/www" cmd="true" terminal=? res=failed'
type=USER_AUTH msg=audit(1369143877.611:514): pid=2197 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0 
msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=? 
addr=? terminal=? res=failed'
type=USER_AUTH msg=audit(1369143877.625:515): pid=2199 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0 
msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=? 
addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1369143877.642:516): pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' 
comm="zoneminder" exe="/usr/lib/systemd/systemd" hostname=? addr=? 
terminal=? res=failed'


Any insights would be most appreciated, as I would really like to see a 
policy for zoneminder that works, not only for myself, but so that we 
can have it in the Fedora stock policy.


Thank you for all your help, especially Dominick Grift's.

Regards,

Tristan


And the policy we have so far:

policy_module(myzonem, 1.0.0)
gen_require(` type zoneminder_t; ')
domain_read_all_domains_state(zoneminder_t)
logging_send_audit_msgs(zoneminder_t)
sudo_exec(zoneminder_t)
su_exec(zoneminder_t)
allow zoneminder_t self:process setrlimit;
allow zoneminder_t self:capability { setuid setgid sys_resource };
gen_require(`type httpd_zoneminder_script_exec_t; ')
can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
gen_require(` type zoneminder_var_lib_t; ')
manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, 
zoneminder_var_lib_t)
dbus_system_bus_client(zoneminder_t)
selinux_compute_access_vector(zoneminder_t)
allow zoneminder_t self:process setsched;


allow zoneminder_t self:key write;
auth_rw_lastlog(zoneminder_t)
systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
auth_domtrans_chk_passwd(zoneminder_t)
systemd_dbus_chat_logind(zoneminder_t)
gen_require(` type chkpwd_t; ')
allow zoneminder_t chkpwd_t:process { rlimitinh noatsecure siginh };
auth_read_shadow(zoneminder_t)
auth_domtrans_upd_passwd(zoneminder_t)
#gen_require(` type  systemd_logind_t; ')
#permissive systemd_logind_t;
gen_require(` type unconfined_t; role system_r; type zoneminder_exec_t; 
role unconfined_r; ')
domtrans_pattern(unconfined_t, zoneminder_exec_t, zoneminder_t)
role_transition unconfined_r zoneminder_exec_t:file system_r;
domain_entry_file(zoneminder_t, httpd_zoneminder_script_exec_t)
domtrans_pattern(unconfined_t, httpd_zoneminder_script_exec_t, zoneminder_t)
gen_require(` type httpd_t; ')
gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
init_read_utmp(httpd_t)
read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, 
zoneminder_tmpfs_t)
manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, 
zoneminder_var_lib_t)
manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, 
zoneminder_var_lib_t)
allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;
init_daemon_domain(zoneminder_t, httpd_zoneminder_script_exec_t)

require {
         type chkpwd_t;
         type httpd_t;
         type httpd_zoneminder_script_t;
         type sshd_t;
         class process { siginh noatsecure rlimitinh };
         class unix_stream_socket { read write };
}

#============= httpd_t ==============
allow httpd_t httpd_zoneminder_script_t:process { siginh noatsecure 
rlimitinh };

#============= httpd_zoneminder_script_t ==============
allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read write };

require {
         type passwd_t;
}
allow passwd_t chkpwd_t:process { noatsecure siginh rlimitinh };
allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read write };
allow httpd_t httpd_zoneminder_script_t:process { noatsecure siginh 
rlimitinh };


-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org

More information about the selinux mailing list