ZoneMinder Forums

ZoneMinder Forums
https://forums.zoneminder.com/

i got it to work with selinux - if someone wants the policy:

https://forums.zoneminder.com/viewtopic.php?t=11493

Page 1 of 1

i got it to work with selinux - if someone wants the policy:

Posted: Sat Apr 12, 2008 7:09 pm
by roidayan
save as: local_zoneminder.te :

Code: Select all

module local_zoneminder 1.0; 

require { 
               type httpd_t;
               type initrc_var_run_t;
               type initrc_t;
               type v4l_device_t;
               type file_t;
              class unix_stream_socket { read connectto };
              class file { read lock };
              class shm { unix_read unix_write associate read write getattr };
              class chr_file getattr;
}

#============= httpd_t ============== 
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
allow httpd_t initrc_var_run_t:file { read lock };
allow httpd_t v4l_device_t:chr_file getattr;
commands to execute:
# checkmodule -M -m -o local_zoneminder.mod local_zoneminder.te
# semodule_package -o local_zoneminder.pp -m local_zoneminder.mod
# semodule -i local_zoneminder.pp[/code]

Posted: Sun Apr 13, 2008 8:22 pm
by jameswilson
Useful
Thanks

Posted: Sun Apr 13, 2008 9:15 pm
by zoneminder
Would you mind posting this to the Wiki as I'm sure it would be useful to a lot of people.

Posted: Tue Apr 15, 2008 2:23 pm
by roidayan
sure, i updated it on the wiki under installation.
I think I also updated it a little at home but I am not at home to check the new settings.
When i'll be home in a few hours i'll update the rest of the settings.

Posted: Thu Apr 17, 2008 10:53 pm
by cordel
Users should be made aware that this policy does not constain it to just ZM.
Doing so relaxes SELInux's policy in general but is still better than not having SELinux at all.

Posted: Fri Apr 18, 2008 7:47 am
by roidayan
yea you right i still prefer to allow httpd users to do those actions, still not a risk to the system. disabling httpd security in general is worst.

Posted: Fri Apr 18, 2008 7:56 am
by roidayan
added this note to the wiki
also updated the module here if someone took the lines from here and not the wiki
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited