Zoneminder and Selinux and the Infinite Story of Doom

Miroslav Grepl mgrepl at redhat.com
Tue May 21 14:00:10 UTC 2013 

On 05/21/2013 03:47 PM, Tristan Santore wrote:
> Dear All,
>
> For the last few days Dominick and I have been trying to write a 
> policy for Zoneminder, as the current policy does not seem to be working.
>
> I will append what we gathered up so far below, however before I do, 
> there seems to be an inherent problem with apache and sudo/su/pam, 
> which seems to work in permissive mode, but as soon as I enable 
> enforcing, b00m, I get these.
>
> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify 
> password for [apache]
> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >= 
> 1000" not met by user "apache"
> May 21 14:18:23 hq su: pam_unix(su:auth): auth could not identify 
> password for [apache]
> May 21 14:18:23 hq su: pam_succeed_if(su:auth): requirement "uid >= 
> 1000" not met by user "apache"
>
> In permissive mode all is fine:
>
> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user 
> apache by (uid=0)
> May 21 14:32:03 hq su: pam_unix(su:session): session closed for user 
> apache
> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user 
> apache by (uid=0)
> May 21 14:32:03 hq su: pam_unix(su:session): session closed for user 
> apache
> May 21 14:32:03 hq su: pam_unix(su:session): session opened for user 
> apache by (uid=0)
>
> type=USER_CMD msg=audit(1369143877.597:513): pid=2196 uid=0 
> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0 
> msg='cwd="/usr/share/zoneminder/www" cmd="true" terminal=? res=failed'
> type=USER_AUTH msg=audit(1369143877.611:514): pid=2197 uid=0 
> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0 
> msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=? 
> addr=? terminal=? res=failed'
> type=USER_AUTH msg=audit(1369143877.625:515): pid=2199 uid=0 
> auid=4294967295 ses=4294967295 subj=system_u:system_r:zoneminder_t:s0 
> msg='op=PAM:authentication acct="apache" exe="/usr/bin/su" hostname=? 
> addr=? terminal=? res=failed'
> type=SERVICE_START msg=audit(1369143877.642:516): pid=1 uid=0 
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' 
> comm="zoneminder" exe="/usr/lib/systemd/systemd" hostname=? addr=? 
> terminal=? res=failed'
>
>
> Any insights would be most appreciated, as I would really like to see 
> a policy for zoneminder that works, not only for myself, but so that 
> we can have it in the Fedora stock policy.
>
>
> Thank you for all your help, especially Dominick Grift's.
>
> Regards,
>
> Tristan
>
>
> And the policy we have so far:
>
> policy_module(myzonem, 1.0.0)
> gen_require(` type zoneminder_t; ')
> domain_read_all_domains_state(zoneminder_t)
> logging_send_audit_msgs(zoneminder_t)
> sudo_exec(zoneminder_t)
> su_exec(zoneminder_t)
> allow zoneminder_t self:process setrlimit;
> allow zoneminder_t self:capability { setuid setgid sys_resource };
> gen_require(`type httpd_zoneminder_script_exec_t; ')
> can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
> gen_require(` type zoneminder_var_lib_t; ')
> manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, 
> zoneminder_var_lib_t)
> dbus_system_bus_client(zoneminder_t)
> selinux_compute_access_vector(zoneminder_t)
> allow zoneminder_t self:process setsched;
>
>
> allow zoneminder_t self:key write;
> auth_rw_lastlog(zoneminder_t)
> systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
> auth_domtrans_chk_passwd(zoneminder_t)
> systemd_dbus_chat_logind(zoneminder_t)
> gen_require(` type chkpwd_t; ')
> allow zoneminder_t chkpwd_t:process { rlimitinh noatsecure siginh };
> auth_read_shadow(zoneminder_t)
> auth_domtrans_upd_passwd(zoneminder_t)
> #gen_require(` type  systemd_logind_t; ')
> #permissive systemd_logind_t;
> gen_require(` type unconfined_t; role system_r; type 
> zoneminder_exec_t; role unconfined_r; ')
> domtrans_pattern(unconfined_t, zoneminder_exec_t, zoneminder_t)
> role_transition unconfined_r zoneminder_exec_t:file system_r;
> domain_entry_file(zoneminder_t, httpd_zoneminder_script_exec_t)
> domtrans_pattern(unconfined_t, httpd_zoneminder_script_exec_t, 
> zoneminder_t)
> gen_require(` type httpd_t; ')
> gen_require(` type httpd_zoneminder_script_t; type zoneminder_tmpfs_t;')
> init_read_utmp(httpd_t)
> read_files_pattern(httpd_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
> rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, 
> zoneminder_tmpfs_t)
> manage_dirs_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, 
> zoneminder_var_lib_t)
> manage_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, 
> zoneminder_var_lib_t)
> allow httpd_t zoneminder_var_lib_t:dir list_dir_perms;
> init_daemon_domain(zoneminder_t, httpd_zoneminder_script_exec_t)
>
> require {
>         type chkpwd_t;
>         type httpd_t;
>         type httpd_zoneminder_script_t;
>         type sshd_t;
>         class process { siginh noatsecure rlimitinh };
>         class unix_stream_socket { read write };
> }
>
> #============= httpd_t ==============
> allow httpd_t httpd_zoneminder_script_t:process { siginh noatsecure 
> rlimitinh };
>
> #============= httpd_zoneminder_script_t ==============
> allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read 
> write };
>
> require {
>         type passwd_t;
> }
> allow passwd_t chkpwd_t:process { noatsecure siginh rlimitinh };
> allow httpd_zoneminder_script_t httpd_t:unix_stream_socket { read 
> write };
> allow httpd_t httpd_zoneminder_script_t:process { noatsecure siginh 
> rlimitinh };
>
>
After the quick review I see that this policy is coming to be unconfined 
probably. For example, it runs su/sudo directly.

Could you open a new bug?

Thank you.

Regards,
Miroslav

More information about the selinux mailing list