On 17/06/18 10:25, Lukas Vrabec wrote:
On 06/13/2018 03:17 PM, Tristan Santore wrote:
Dear Lukas and Petr,
I have made fixes to the Zoneminder Policy module. Zoneminder will not
start with the current one.
Also I took them liberty to add two bools, one for email sending,
because Zoneminder can send emails with images, when an alarm event was
detected on a camera, and another boolean for ftp access, as Zoneminder
can upload alarm events to a ftp, for safe keeping, in case somebody
burgles your house and steals your CCTV gear.
It can also use sftp, but not sure I would really like to add a port for
that. But if you would like to add that option, I would leave that up to
you.
If you could be so kind, to look over the additions, I suspect, there
might be a few things in there, one might want to avoid, or require
labelling. Or ways to make it more secure.
Hi,
Thank you for help on SELinux policy for zoneminder!
Could you send me please raw AVC messages (SELinux denials) from audit log?
Please, reproduce your scenario how you're using zoneminder policy and
then attach output of:
# ausearch -m AVC -ts today -m USER_AVC
I would like to also see these messages, before I merge it with Fedora
distribution policy.
Thanks,
Lukas.
Policy additions below(Will require merging into existing policy):
module zoneminder2018 1.3;
require {
type sysfs_t;
type zoneminder_script_t;
type zoneminder_var_lib_t;
type zoneminder_t;
type v4l_device_t;
type init_var_run_t;
type cert_t;
type httpd_t;
type syslogd_t;
type zoneminder_tmpfs_t;
type smtp_port_t;
type tmpfs_t;
type ftp_port_t;
type ephemeral_port_t;
class file { create getattr lock map open read unlink write };
class chr_file map;
class lnk_file read;
class dir { create read rmdir search write add_name };
class unix_dgram_socket sendto;
class sock_file { create unlink };
class process { noatsecure rlimitinh siginh };
class tcp_socket name_connect;
}
bool zoneminder_can_sendmail false;
bool zoneminder_can_ftp false;
#============= httpd_t ==============
#allow httpd_t zoneminder_script_t:process { noatsecure rlimitinh siginh };
#Flagged, but not required.
allow httpd_t zoneminder_tmpfs_t:file map;
allow httpd_t zoneminder_tmpfs_t:file { getattr open read write };
allow httpd_t zoneminder_var_lib_t:sock_file { create unlink };
#============= syslogd_t ==============
allow syslogd_t init_var_run_t:lnk_file read;
#============= zoneminder_script_t ==============
allow zoneminder_script_t cert_t:dir search;
allow zoneminder_script_t cert_t:file { getattr open read };
allow zoneminder_script_t httpd_t:unix_dgram_socket sendto;
allow zoneminder_script_t init_var_run_t:dir search;
allow zoneminder_script_t sysfs_t:dir read;
allow zoneminder_script_t sysfs_t:file { getattr open read };
allow zoneminder_script_t zoneminder_tmpfs_t:file map;
allow zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
allow zoneminder_script_t zoneminder_var_lib_t:file { create getattr
lock open read unlink write };
allow zoneminder_script_t tmpfs_t:dir { add_name write };
#============= zoneminder_t ==============
if (zoneminder_can_sendmail) {
allow zoneminder_t smtp_port_t:tcp_socket name_connect;
}
#add ftp and sftp here
#sftp needs some extra work I guess.
if (zoneminder_can_ftp) {
allow zoneminder_t ftp_port_t:tcp_socket name_connect;
allow zoneminder_t ephemeral_port_t:tcp_socket name_connect;
}
allow zoneminder_t v4l_device_t:chr_file map;
allow zoneminder_t zoneminder_tmpfs_t:file map;
Tracking bug created:
https://bugzilla.redhat.com/show_bug.cgi?id=1592555
Ausearch added and additional information added, for you to understand
how this works. Because they, rightfully, tried to
compartmentalise/least privilege everything and it is a web app, it is
kind of a mess and difficult to get your head around what is going on.
If it would be easier to get this finally fixed, on a permanent basis, I
could drop in #fedora-selinux.
Let me know, if I can be of further assistance, regarding this issue.
Most of the original module I did with Dominic Grift and added help by
Miroslav (mgrepl) and Dan (dwalsh)...also fixed a sudo/pam issue at that
time.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/IFJCHZZYVNI4FGMIXWDKSRRC2RKBA3JO/