On 06/18/2018 10:11 PM, Tristan Santore wrote:
> On 17/06/18 10:25, Lukas Vrabec wrote:
>> On 06/13/2018 03:17 PM, Tristan Santore wrote:
>>> Dear Lukas and Petr,
>>>
>>> I have made fixes to the Zoneminder Policy module. Zoneminder will not
>>> start with the current one.
>>>
>>> Also I took them liberty to add two bools, one for email sending,
>>> because Zoneminder can send emails with images, when an alarm event was
>>> detected on a camera, and another boolean for ftp access, as Zoneminder
>>> can upload alarm events to a ftp, for safe keeping, in case somebody
>>> burgles your house and steals your CCTV gear.
>>>
>>> It can also use sftp, but not sure I would really like to add a port for
>>> that. But if you would like to add that option, I would leave that up to
>>> you.
>>>
>>> If you could be so kind, to look over the additions, I suspect, there
>>> might be a few things in there, one might want to avoid, or require
>>> labelling. Or ways to make it more secure.
>>>
>>>
>>
>> Hi,
>>
>> Thank you for help on SELinux policy for zoneminder!
>>
>> Could you send me please raw AVC messages (SELinux denials) from audit
>> log?
>>
>> Please, reproduce your scenario how you're using zoneminder policy and
>> then attach output of:
>>
>> # ausearch -m AVC -ts today -m USER_AVC
>>
>> I would like to also see these messages, before I merge it with Fedora
>> distribution policy.
>>
>> Thanks,
>> Lukas.
>>
>>> Policy additions below(Will require merging into existing policy):
>>>
>>> module zoneminder2018 1.3;
>>>
>>> require {
>>> type sysfs_t;
>>> type zoneminder_script_t;
>>> type zoneminder_var_lib_t;
>>> type zoneminder_t;
>>> type v4l_device_t;
>>> type init_var_run_t;
>>> type cert_t;
>>> type httpd_t;
>>> type syslogd_t;
>>> type zoneminder_tmpfs_t;
>>> type smtp_port_t;
>>> type tmpfs_t;
>>> type ftp_port_t;
>>> type ephemeral_port_t;
>>> class file { create getattr lock map open read unlink write };
>>> class chr_file map;
>>> class lnk_file read;
>>> class dir { create read rmdir search write add_name };
>>> class unix_dgram_socket sendto;
>>> class sock_file { create unlink };
>>> class process { noatsecure rlimitinh siginh };
>>> class tcp_socket name_connect;
>>> }
>>>
>>> bool zoneminder_can_sendmail false;
>>> bool zoneminder_can_ftp false;
>>>
>>> #============= httpd_t ==============
>>> #allow httpd_t zoneminder_script_t:process { noatsecure rlimitinh
>>> siginh };
>>>
>>> #Flagged, but not required.
>>>
>>> allow httpd_t zoneminder_tmpfs_t:file map;
>>> allow httpd_t zoneminder_tmpfs_t:file { getattr open read write };
>>> allow httpd_t zoneminder_var_lib_t:sock_file { create unlink };
>>>
>>> #============= syslogd_t ==============
>>>
>>> allow syslogd_t init_var_run_t:lnk_file read;
>>>
>>> #============= zoneminder_script_t ==============
>>>
>>> allow zoneminder_script_t cert_t:dir search;
>>> allow zoneminder_script_t cert_t:file { getattr open read };
>>> allow zoneminder_script_t httpd_t:unix_dgram_socket sendto;
>>> allow zoneminder_script_t init_var_run_t:dir search;
>>> allow zoneminder_script_t sysfs_t:dir read;
>>> allow zoneminder_script_t sysfs_t:file { getattr open read };
>>> allow zoneminder_script_t zoneminder_tmpfs_t:file map;
>>> allow zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
>>> allow zoneminder_script_t zoneminder_var_lib_t:file { create getattr
>>> lock open read unlink write };
>>> allow zoneminder_script_t tmpfs_t:dir { add_name write };
>>>
>>> #============= zoneminder_t ==============
>>> if (zoneminder_can_sendmail) {
>>> allow zoneminder_t smtp_port_t:tcp_socket name_connect;
>>> }
>>> #add ftp and sftp here
>>> #sftp needs some extra work I guess.
>>> if (zoneminder_can_ftp) {
>>> allow zoneminder_t ftp_port_t:tcp_socket name_connect;
>>> allow zoneminder_t ephemeral_port_t:tcp_socket name_connect;
>>> }
>>>
>>> allow zoneminder_t v4l_device_t:chr_file map;
>>> allow zoneminder_t zoneminder_tmpfs_t:file map;
>>>
>>>
>>>
>>
>>
> Tracking bug created:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1592555
>
> Ausearch added and additional information added, for you to understand
> how this works. Because they, rightfully, tried to
> compartmentalise/least privilege everything and it is a web app, it is
> kind of a mess and difficult to get your head around what is going on.
>
> If it would be easier to get this finally fixed, on a permanent basis, I
> could drop in #fedora-selinux.
>
> Let me know, if I can be of further assistance, regarding this issue.
> Most of the original module I did with Dominic Grift and added help by
> Miroslav (mgrepl) and Dan (dwalsh)...also fixed a sudo/pam issue at that
> time.
>
> Regards,
>
> Tristan
>
Hi,
I add all allow rules to our distribution policy.
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/ORQMZAX6XOKSG4DS45E2LEU6GM2FPIZS/
