Zoneminder and Selinux and the Infinite Story of Doom

Tristan Santore tristan.santore at internexusconnect.net
Tue May 21 14:11:33 UTC 2013 

On 21/05/13 14:58, m.roth at 5-cent.us wrote:
> Tristan Santore wrote:
>> Dear All,
>>
>> For the last few days Dominick and I have been trying to write a policy
>> for Zoneminder, as the current policy does not seem to be working.
>>
>> I will append what we gathered up so far below, however before I do,
>> there seems to be an inherent problem with apache and sudo/su/pam, which
>> seems to work in permissive mode, but as soon as I enable enforcing,
>> b00m, I get these.
>>
>> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
>> password for [apache]
>> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
>> 1000" not met by user "apache"
>> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify
>> password for [apache]
>> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >=
>> 1000" not met by user "apache"
> <snip>
> I'm nowhere near that good with selinux, but
> a) the apache or httpd user normally has a GID under 1000 - that's the way
> it's installed. It is a system daemon.
> b) looks like something with apache wants a password. Is this a
> self-signed secure site that you gave it a password when you created the
> cert, so that it needs one to start up?
>
>        mark
>
I think it has more to do with the fact it is looking for a file or 
something with information in, probably relating to sudo/pam.
And because there is some protection in selinux somewhere, maybe even in 
Apache itself (although unlikely as it works in permissive mode), it 
gets stuck, and we are not seeing any useful denials .

Zoneminder has a web front-end, some binaries, and they need to access 
/dev/video nodes. So that appears to be the reason why it uses sudo as 
some kind of protection. But I have not looked into it too much.
There are quite a few scripts, some binaries. Bit of a jumble yard.

With regards to certs....no certs.

Regards,

Tristan

-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org

More information about the selinux mailing list