Updated policy for zoneminder

author Dan Walsh <dwalsh@redhat.com>

Wed, 28 Dec 2011 13:48:42 +0000 (08:48 -0500)

committer Dan Walsh <dwalsh@redhat.com>

Wed, 28 Dec 2011 13:48:42 +0000 (08:48 -0500)
author Dan Walsh <dwalsh@redhat.com>
Wed, 28 Dec 2011 13:48:42 +0000 (08:48 -0500)
committer Dan Walsh <dwalsh@redhat.com>
Wed, 28 Dec 2011 13:48:42 +0000 (08:48 -0500)
diff --cc policy/modules/services/zoneminder.te

index bcfd337214cb6b4e6e58f145d4f4ab2790b2c3e0,293f8077535ac743a2ee2273007c5ce14756df54..bcbe09fce908831d1eb1e53cbab48e0861b09097
--- 1/policy/modules/services/zoneminder.te
--- 2/policy/modules/services/zoneminder.te
+++ b/policy/modules/services/zoneminder.te
@@@ -31,10 -36,12 +39,11 @@@ files_pid_file(zoneminder_var_run_t
   #
   # zoneminder local policy
   #
- -
- -allow zoneminder_t self:process signal_perms;
- -
+ +allow zoneminder_t self:capability { chown dac_override };
+ +allow zoneminder_t self:process { signal_perms setpgid };
+ allow zoneminder_t self:shm create_shm_perms;
   allow zoneminder_t self:fifo_file rw_fifo_file_perms;
- -allow zoneminder_t self:unix_stream_socket create_stream_socket_perms;
+ +allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
   
   manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
   manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
@@@ -59,11 -61,12 +68,15 @@@ manage_files_pattern(zoneminder_t, zone
   manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
   files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
   
+ +kernel_read_system_state(zoneminder_t)
+ +
+ corecmd_exec_bin(zoneminder_t)
+ corecmd_exec_shell(zoneminder_t)
+ 
   dev_read_sysfs(zoneminder_t)
+ dev_read_rand(zoneminder_t)
   dev_read_urand(zoneminder_t)
+ +dev_read_video_dev(zoneminder_t)
   
   domain_use_interactive_fds(zoneminder_t)
   
@@@ -76,8 -79,16 +89,12 @@@ logging_send_syslog_msg(zoneminder_t
   
   miscfiles_read_localization(zoneminder_t)
   
+ tunable_policy(`zoneminder_anon_write',`
+       miscfiles_manage_public_files(zoneminder_t)
+ ')
+ 
   optional_policy(`
- -    mysql_stream_connect(zoneminder_t)
- -')
- -
- -optional_policy(`
- -      sysnet_read_config(zoneminder_t)
+ +      mysql_stream_connect(zoneminder_t)
   ')
   
   ########################################
@@@ -85,7 -96,21 +102,21 @@@
   # zoneminder cgi local policy
   #
   
- apache_content_template(zoneminder)
+ optional_policy(`
+       apache_content_template(zoneminder)
+ 
+       # need more testing
+       #allow httpd_zoneminder_script_t self:shm create_shm_perms;
+ 
+       manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+       zoneminder_stream_connect(httpd_zoneminder_script_t)
+       
+       files_search_var_lib(httpd_zoneminder_script_t)
+ 
+       logging_send_syslog_msg(httpd_zoneminder_script_t)
   
- manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
- zoneminder_stream_connect(httpd_zoneminder_script_t)
+       optional_policy(`
- -      mysql_stream_connect(httpd_zoneminder_script_t)
++              mysql_stream_connect(httpd_zoneminder_script_t)
+       ')
+ 
+ ')
author	Dan Walsh <dwalsh@redhat.com>
	Wed, 28 Dec 2011 13:48:42 +0000 (08:48 -0500)
committer	Dan Walsh <dwalsh@redhat.com>
	Wed, 28 Dec 2011 13:48:42 +0000 (08:48 -0500)