On Wed, 2009-06-10 at 14:10 -0500, Jason L Tibbitts III wrote: > >>>>> "DG" == Dominick Grift <domg472@xxxxxxxxx> writes: > > DG> Are you testing this on Fedora? > > I comaintain it in Fedora. My current zoneminder server runs F11. > > DG> All i need is a "rpm -ql" and someone that can test my policy and > DG> send feedback. > > I don't fully understand the interaction between the daemon portion > and the webapp portion (which as I understand it cannot be in a > separate domain from httpd) but I'm not really sure it's as simple as > looking at the file list. Still, 'repoquery -l zoneminder' will show > you that. > > - J< Yes as far as the webapp is concerned it will have to run as httpd_t if its PHP. However the daemons can be confined. I downloaded the package and found it has a lot of executable files. I was looking into the zoneminder init script and noticed a few of those executables as run by initrc_t (zmu zmpkg zmupdate) I have created some declarations for those executables and made their domains permissive. I also defined file contexts for the executable files, pid , log and config file. The source policy is here: http://82.197.205.60/~dgrift/stuff/modules/zoneminder.te http://82.197.205.60/~dgrift/stuff/modules/zoneminder.if http://82.197.205.60/~dgrift/stuff/modules/zoneminder.fc http://82.197.205.60/~dgrift/stuff/modules/zoneminder.pp make -f /usr/share/selinux/devel/Makefile sudo semodule -i zoneminder.pp sudo restorecon -v -R /etc/rc.d/init.d/zoneminder /etc/zoneminder /var/log/zoneminder /usr/bin/zmpkg /usr/bin/zmu /usr/bin/zmupdate (restore each location in zoneminder.fc) Then run i, test the app, and collect all the AVC denials. Please send those AVC denials to me so that i can extend and perfect the policy. Please mind that the webapp will not work yet and probably many other things with that. I have only made some declarations that i thought should be made to get started. (no policy yet) Thanks -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
