Dear Lukas and Petr,
I have made fixes to the Zoneminder Policy module. Zoneminder will not
start with the current one.
Also I took them liberty to add two bools, one for email sending,
because Zoneminder can send emails with images, when an alarm event was
detected on a camera, and another boolean for ftp access, as Zoneminder
can upload alarm events to a ftp, for safe keeping, in case somebody
burgles your house and steals your CCTV gear.
It can also use sftp, but not sure I would really like to add a port for
that. But if you would like to add that option, I would leave that up to
you.
If you could be so kind, to look over the additions, I suspect, there
might be a few things in there, one might want to avoid, or require
labelling. Or ways to make it more secure.
Policy additions below(Will require merging into existing policy):
module zoneminder2018 1.3;
require {
type sysfs_t;
type zoneminder_script_t;
type zoneminder_var_lib_t;
type zoneminder_t;
type v4l_device_t;
type init_var_run_t;
type cert_t;
type httpd_t;
type syslogd_t;
type zoneminder_tmpfs_t;
type smtp_port_t;
type tmpfs_t;
type ftp_port_t;
type ephemeral_port_t;
class file { create getattr lock map open read unlink write };
class chr_file map;
class lnk_file read;
class dir { create read rmdir search write add_name };
class unix_dgram_socket sendto;
class sock_file { create unlink };
class process { noatsecure rlimitinh siginh };
class tcp_socket name_connect;
}
bool zoneminder_can_sendmail false;
bool zoneminder_can_ftp false;
#============= httpd_t ==============
#allow httpd_t zoneminder_script_t:process { noatsecure rlimitinh siginh };
#Flagged, but not required.
allow httpd_t zoneminder_tmpfs_t:file map;
allow httpd_t zoneminder_tmpfs_t:file { getattr open read write };
allow httpd_t zoneminder_var_lib_t:sock_file { create unlink };
#============= syslogd_t ==============
allow syslogd_t init_var_run_t:lnk_file read;
#============= zoneminder_script_t ==============
allow zoneminder_script_t cert_t:dir search;
allow zoneminder_script_t cert_t:file { getattr open read };
allow zoneminder_script_t httpd_t:unix_dgram_socket sendto;
allow zoneminder_script_t init_var_run_t:dir search;
allow zoneminder_script_t sysfs_t:dir read;
allow zoneminder_script_t sysfs_t:file { getattr open read };
allow zoneminder_script_t zoneminder_tmpfs_t:file map;
allow zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
allow zoneminder_script_t zoneminder_var_lib_t:file { create getattr
lock open read unlink write };
allow zoneminder_script_t tmpfs_t:dir { add_name write };
#============= zoneminder_t ==============
if (zoneminder_can_sendmail) {
allow zoneminder_t smtp_port_t:tcp_socket name_connect;
}
#add ftp and sftp here
#sftp needs some extra work I guess.
if (zoneminder_can_ftp) {
allow zoneminder_t ftp_port_t:tcp_socket name_connect;
allow zoneminder_t ephemeral_port_t:tcp_socket name_connect;
}
allow zoneminder_t v4l_device_t:chr_file map;
allow zoneminder_t zoneminder_tmpfs_t:file map;
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/OEEU7VHSA2EBAOAX5BQ7ZHP4JGBONCMI/
