Re: Zoneminder Policy Fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/13/2018 03:17 PM, Tristan Santore wrote:
> Dear Lukas and Petr,
> 
> I have made fixes to the Zoneminder Policy module. Zoneminder will not
> start with the current one.
> 
> Also I took them liberty to add two bools, one for email sending,
> because Zoneminder can send emails with images, when an alarm event was
> detected on a camera, and another boolean for ftp access, as Zoneminder
> can upload alarm events to a ftp, for safe keeping, in case somebody
> burgles your house and steals your CCTV gear.
> 
> It can also use sftp, but not sure I would really like to add a port for
> that. But if you would like to add that option, I would leave that up to
> you.
> 
> If you could be so kind, to look over the additions, I suspect, there
> might be a few things in there, one might want to avoid, or require
> labelling. Or ways to make it more secure.
> 
> 

Hi,

Thank you for help on SELinux policy for zoneminder!

Could you send me please raw AVC messages (SELinux denials) from audit log?

Please, reproduce your scenario how you're using zoneminder policy and
then attach output of:

# ausearch -m AVC -ts today -m USER_AVC

I would like to also see these messages, before I merge it with Fedora
distribution policy.

Thanks,
Lukas.

> Policy additions below(Will require merging into existing policy):
> 
> module zoneminder2018 1.3;
> 
> require {
>         type sysfs_t;
>         type zoneminder_script_t;
>         type zoneminder_var_lib_t;
>         type zoneminder_t;
>         type v4l_device_t;
>         type init_var_run_t;
>         type cert_t;
>         type httpd_t;
>         type syslogd_t;
>         type zoneminder_tmpfs_t;
>         type smtp_port_t;
>         type tmpfs_t;
>         type ftp_port_t;
>         type ephemeral_port_t;
>         class file { create getattr lock map open read unlink write };
>         class chr_file map;
>         class lnk_file read;
>         class dir { create read rmdir search write add_name };
>         class unix_dgram_socket sendto;
>         class sock_file { create unlink };
>         class process { noatsecure rlimitinh siginh };
>         class tcp_socket name_connect;
> }
> 
> bool zoneminder_can_sendmail false;
> bool zoneminder_can_ftp false;
> 
> #============= httpd_t ==============
> #allow httpd_t zoneminder_script_t:process { noatsecure rlimitinh siginh };
> 
> #Flagged, but not required.
> 
> allow httpd_t zoneminder_tmpfs_t:file map;
> allow httpd_t zoneminder_tmpfs_t:file { getattr open read write };
> allow httpd_t zoneminder_var_lib_t:sock_file { create unlink };
> 
> #============= syslogd_t ==============
> 
> allow syslogd_t init_var_run_t:lnk_file read;
> 
> #============= zoneminder_script_t ==============
> 
> allow zoneminder_script_t cert_t:dir search;
> allow zoneminder_script_t cert_t:file { getattr open read };
> allow zoneminder_script_t httpd_t:unix_dgram_socket sendto;
> allow zoneminder_script_t init_var_run_t:dir search;
> allow zoneminder_script_t sysfs_t:dir read;
> allow zoneminder_script_t sysfs_t:file { getattr open read };
> allow zoneminder_script_t zoneminder_tmpfs_t:file map;
> allow zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
> allow zoneminder_script_t zoneminder_var_lib_t:file { create getattr
> lock open read unlink write };
> allow zoneminder_script_t tmpfs_t:dir { add_name write };
> 
> #============= zoneminder_t ==============
> if (zoneminder_can_sendmail) {
> allow zoneminder_t smtp_port_t:tcp_socket name_connect;
> }
> #add ftp and sftp here
> #sftp needs some extra work I guess.
> if (zoneminder_can_ftp) {
> allow zoneminder_t ftp_port_t:tcp_socket name_connect;
> allow zoneminder_t ephemeral_port_t:tcp_socket name_connect;
> }
> 
> allow zoneminder_t v4l_device_t:chr_file map;
> allow zoneminder_t zoneminder_tmpfs_t:file map;
> 
> 
> 


-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/53UUYLAAPWE3J6VEA4C77SXMX5ZG6LKZ/




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux