i got it to work with selinux - if someone wants the policy:

[roidayan]

save as: local_zoneminder.te :

Code: Select all

module local_zoneminder 1.0; 

require { 
               type httpd_t;
               type initrc_var_run_t;
               type initrc_t;
               type v4l_device_t;
               type file_t;
              class unix_stream_socket { read connectto };
              class file { read lock };
              class shm { unix_read unix_write associate read write getattr };
              class chr_file getattr;
}

#============= httpd_t ============== 
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
allow httpd_t initrc_var_run_t:file { read lock };
allow httpd_t v4l_device_t:chr_file getattr;

commands to execute:
# checkmodule -M -m -o local_zoneminder.mod local_zoneminder.te
# semodule_package -o local_zoneminder.pp -m local_zoneminder.mod
# semodule -i local_zoneminder.pp[/code]

[jameswilson]

Useful
Thanks

[zoneminder]

Would you mind posting this to the Wiki as I'm sure it would be useful to a lot of people.

[roidayan]

sure, i updated it on the wiki under installation.
I think I also updated it a little at home but I am not at home to check the new settings.
When i'll be home in a few hours i'll update the rest of the settings.

[cordel]

Users should be made aware that this policy does not constain it to just ZM.
Doing so relaxes SELInux's policy in general but is still better than not having SELinux at all.

[roidayan]

yea you right i still prefer to allow httpd users to do those actions, still not a risk to the system. disabling httpd security in general is worst.

[roidayan]

added this note to the wiki
also updated the module here if someone took the lines from here and not the wiki