Hello, Are you testing this on Fedora? If so, i can help you create proper policy for both daemon and webapp. All i need is a "rpm -ql" and someone that can test my policy and send feedback. I recently also wrote policy for a motion detection software called motion which is available on rpmfusion. That policy is not perfected because it needs testing in not so standard scenarios, but a basic configuration works just fine. http://82.197.205.60/~dgrift/stuff/modules/motion.te http://82.197.205.60/~dgrift/stuff/modules/motion.if http://82.197.205.60/~dgrift/stuff/modules/motion.fc On Tue, 2009-06-09 at 20:23 -0500, Jason L Tibbitts III wrote: > Zoneminder (http://www.zoneminder.com) is a really nice web-based > surveillance application that's been packages for Fedora. It runs as > a combination of daemons (written in perl) and a php-based web > interface and it should come as no surprise that it has issues with > selinux. > > The zoneminder documentation includes some information on policy at > http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy, > including a policy module which I'll include at the end of this > message. I haven't tested it yet; I'm currently more concerned about > whether there's any path to getting some kind of reasonable support > for zoneminder into the base policy. I don't really know enough to > say what form that it should take; if the suggested policy module is > really sufficient, a simple boolean that allows httpd to access a few > extra things might be good. However, the daemons which currently seem > to run as initrc_t also need to be confined, then things rapidly > become complex beyond my limited understanding of selinux. > > Here's the suggested policy: > > module local_zoneminder 1.0; > > require { > type httpd_t; > type initrc_var_run_t; > type initrc_t; > type v4l_device_t; > type file_t; > class unix_stream_socket { read connectto }; > class file { read lock }; > class shm { unix_read unix_write associate read write getattr }; > class chr_file getattr; > } > > #============= httpd_t ============== > allow httpd_t initrc_t:unix_stream_socket connectto; > allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr }; > allow httpd_t initrc_var_run_t:file { read lock }; > allow httpd_t v4l_device_t:chr_file getattr; > > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
