Zoneminder (http://www.zoneminder.com) is a really nice web-based surveillance application that's been packages for Fedora. It runs as a combination of daemons (written in perl) and a php-based web interface and it should come as no surprise that it has issues with selinux. The zoneminder documentation includes some information on policy at http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy, including a policy module which I'll include at the end of this message. I haven't tested it yet; I'm currently more concerned about whether there's any path to getting some kind of reasonable support for zoneminder into the base policy. I don't really know enough to say what form that it should take; if the suggested policy module is really sufficient, a simple boolean that allows httpd to access a few extra things might be good. However, the daemons which currently seem to run as initrc_t also need to be confined, then things rapidly become complex beyond my limited understanding of selinux. Here's the suggested policy: module local_zoneminder 1.0; require { type httpd_t; type initrc_var_run_t; type initrc_t; type v4l_device_t; type file_t; class unix_stream_socket { read connectto }; class file { read lock }; class shm { unix_read unix_write associate read write getattr }; class chr_file getattr; } #============= httpd_t ============== allow httpd_t initrc_t:unix_stream_socket connectto; allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr }; allow httpd_t initrc_var_run_t:file { read lock }; allow httpd_t v4l_device_t:chr_file getattr; - J< -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
