From 6feddceaa9c59a2d1a4dd451c62f7e89d262d4bc Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 22 Dec 2011 19:24:51 +0000 Subject: [PATCH] Add initial policy for zoneminder --- policy/modules/admin/permissivedomains.te | 10 + policy/modules/services/zoneminder.fc | 12 + policy/modules/services/zoneminder.if | 320 ++++++++++++++++++++++ policy/modules/services/zoneminder.te | 64 +++++ policy/modules/services/zoneminder.te~ | 69 +++++ 5 files changed, 475 insertions(+) create mode 100644 policy/modules/services/zoneminder.fc create mode 100644 policy/modules/services/zoneminder.if create mode 100644 policy/modules/services/zoneminder.te create mode 100644 policy/modules/services/zoneminder.te~ diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te index 9c8b64f9..deed25f6 100644 --- a/policy/modules/admin/permissivedomains.te +++ b/policy/modules/admin/permissivedomains.te @@ -8,3 +8,13 @@ optional_policy(` permissive blueman_t; ') + +optional_policy(` + gen_require(` + type httpd_zoneminder_script_t, zoneminder_t; + ') + + permissive httpd_zoneminder_script_t; + permissive zoneminder_t; +') + diff --git a/policy/modules/services/zoneminder.fc b/policy/modules/services/zoneminder.fc new file mode 100644 index 00000000..b74fadfe --- /dev/null +++ b/policy/modules/services/zoneminder.fc @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) + +/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0) + +/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0) + +/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) + +/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) + +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) diff --git a/policy/modules/services/zoneminder.if b/policy/modules/services/zoneminder.if new file mode 100644 index 00000000..aadeef3a --- /dev/null +++ b/policy/modules/services/zoneminder.if @@ -0,0 +1,320 @@ + +## policy for zoneminder + + +######################################## +## +## Transition to zoneminder. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`zoneminder_domtrans',` + gen_require(` + type zoneminder_t, zoneminder_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zoneminder_exec_t, zoneminder_t) +') + + +######################################## +## +## Execute zoneminder server in the zoneminder domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_initrc_domtrans',` + gen_require(` + type zoneminder_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, zoneminder_initrc_exec_t) +') + + +######################################## +## +## Read zoneminder's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`zoneminder_read_log',` + gen_require(` + type zoneminder_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, zoneminder_log_t, zoneminder_log_t) +') + +######################################## +## +## Append to zoneminder log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_append_log',` + gen_require(` + type zoneminder_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, zoneminder_log_t, zoneminder_log_t) +') + +######################################## +## +## Manage zoneminder log files +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_manage_log',` + gen_require(` + type zoneminder_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t) + manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t) + manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t) +') + +######################################## +## +## Search zoneminder lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_search_lib',` + gen_require(` + type zoneminder_var_lib_t; + ') + + allow $1 zoneminder_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read zoneminder lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_read_lib_files',` + gen_require(` + type zoneminder_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) +') + +######################################## +## +## Manage zoneminder lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_manage_lib_files',` + gen_require(` + type zoneminder_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) +') + +######################################## +## +## Manage zoneminder lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_manage_lib_dirs',` + gen_require(` + type zoneminder_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) +') + + +######################################## +## +## Search zoneminder spool directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_search_spool',` + gen_require(` + type zoneminder_spool_t; + ') + + allow $1 zoneminder_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## +## Read zoneminder spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_read_spool_files',` + gen_require(` + type zoneminder_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) +') + +######################################## +## +## Manage zoneminder spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_manage_spool_files',` + gen_require(` + type zoneminder_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) +') + +######################################## +## +## Manage zoneminder spool dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_manage_spool_dirs',` + gen_require(` + type zoneminder_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t) +') + +######################################## +## +## Connect to zoneminder over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`zoneminder_stream_connect',` + gen_require(` + type zoneminder_t, zoneminder_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t) +') + +######################################## +## +## All of the rules required to administrate +## an zoneminder environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`zoneminder_admin',` + gen_require(` + type zoneminder_t; + type zoneminder_initrc_exec_t; + type zoneminder_log_t; + type zoneminder_var_lib_t; + type zoneminder_spool_t; + ') + + allow $1 zoneminder_t:process { ptrace signal_perms }; + ps_process_pattern($1, zoneminder_t) + + zoneminder_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 zoneminder_initrc_exec_t system_r; + allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, zoneminder_log_t) + + files_search_var_lib($1) + admin_pattern($1, zoneminder_var_lib_t) + + files_search_spool($1) + admin_pattern($1, zoneminder_spool_t) + +') + diff --git a/policy/modules/services/zoneminder.te b/policy/modules/services/zoneminder.te new file mode 100644 index 00000000..acd39ebd --- /dev/null +++ b/policy/modules/services/zoneminder.te @@ -0,0 +1,64 @@ +policy_module(zoneminder, 1.0.0) + +######################################## +# +# Declarations +# + +type zoneminder_t; +type zoneminder_exec_t; +init_daemon_domain(zoneminder_t, zoneminder_exec_t) + +type zoneminder_initrc_exec_t; +init_script_file(zoneminder_initrc_exec_t) + +type zoneminder_log_t; +logging_log_file(zoneminder_log_t) + +type zoneminder_var_lib_t; +files_type(zoneminder_var_lib_t) + +type zoneminder_spool_t; +files_type(zoneminder_spool_t) + +######################################## +# +# zoneminder local policy +# + +allow zoneminder_t self:fifo_file rw_fifo_file_perms; +allow zoneminder_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) +manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) +logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file }) + +manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file }) + +manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) +manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) +manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) +files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file }) + +dev_read_sysfs(zoneminder_t) +dev_read_urand(zoneminder_t) + +domain_use_interactive_fds(zoneminder_t) + +files_read_etc_files(zoneminder_t) +files_read_usr_files(zoneminder_t) + +miscfiles_read_localization(zoneminder_t) + +######################################## +# +# zoneminder cgi local policy +# + +apache_content_template(zoneminder) + +manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +zoneminder_stream_connect(httpd_zoneminder_script_t) diff --git a/policy/modules/services/zoneminder.te~ b/policy/modules/services/zoneminder.te~ new file mode 100644 index 00000000..a8e8efa1 --- /dev/null +++ b/policy/modules/services/zoneminder.te~ @@ -0,0 +1,69 @@ +policy_module(zoneminder, 1.0.0) + +######################################## +# +# Declarations +# + +type zoneminder_t; +type zoneminder_exec_t; +init_daemon_domain(zoneminder_t, zoneminder_exec_t) + +permissive zoneminder_t; + +type zoneminder_initrc_exec_t; +init_script_file(zoneminder_initrc_exec_t) + +type zoneminder_log_t; +logging_log_file(zoneminder_log_t) + +type zoneminder_var_lib_t; +files_type(zoneminder_var_lib_t) + +type zoneminder_spool_t; +files_type(zoneminder_spool_t) + +######################################## +# +# zoneminder local policy +# + +allow zoneminder_t self:fifo_file rw_fifo_file_perms; +allow zoneminder_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) +manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) +logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file }) + +manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file }) + +manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) +manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) +manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) +files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file }) + +dev_read_sysfs(zoneminder_t) +dev_read_urand(zoneminder_t) + +domain_use_interactive_fds(zoneminder_t) + +files_read_etc_files(zoneminder_t) +files_read_usr_files(zoneminder_t) + +miscfiles_read_localization(zoneminder_t) + +######################################## +# +# zoneminder cgi local policy +# + +apache_content_template(zoneminder) + +permissive httpd_zoneminder_script_t; + +manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +zoneminder_stream_connect(httpd_zoneminder_script_t) + -- 2.47.3