From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 28 Dec 2011 13:43:19 +0000 (-0500)
Subject: Updated policy for zoneminder
X-Git-Tag: 000~4
X-Git-Url: http://git.ipfire.org/?p=people%2Fstevee%2Fselinux-policy.git;a=commitdiff_plain;h=efd9356b9c291d46a0fd0f2ebef04929d1746ceb

Updated policy for zoneminder
---

diff --git a/policy/modules/services/zoneminder.te b/policy/modules/services/zoneminder.te
index acd39ebd..bcfd3372 100644
--- a/policy/modules/services/zoneminder.te
+++ b/policy/modules/services/zoneminder.te
@@ -15,44 +15,71 @@ init_script_file(zoneminder_initrc_exec_t)
 type zoneminder_log_t;
 logging_log_file(zoneminder_log_t)
 
-type zoneminder_var_lib_t;
-files_type(zoneminder_var_lib_t)
+type zoneminder_tmpfs_t;
+files_tmpfs_file(zoneminder_tmpfs_t)
 
 type zoneminder_spool_t;
 files_type(zoneminder_spool_t)
 
+type zoneminder_var_lib_t;
+files_type(zoneminder_var_lib_t)
+
+type zoneminder_var_run_t;
+files_pid_file(zoneminder_var_run_t)
+
 ########################################
 #
 # zoneminder local policy
 #
-
+allow zoneminder_t self:capability { chown dac_override };
+allow zoneminder_t self:process { signal_perms setpgid };
 allow zoneminder_t self:fifo_file rw_fifo_file_perms;
-allow zoneminder_t self:unix_stream_socket create_stream_socket_perms;
+allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
 manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
 logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
 
+manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file })
+
 manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
 manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
 manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
 files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
 
+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file })
+
 manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
 manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
 manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
 files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
 
+kernel_read_system_state(zoneminder_t)
+
 dev_read_sysfs(zoneminder_t)
 dev_read_urand(zoneminder_t)
+dev_read_video_dev(zoneminder_t)
 
 domain_use_interactive_fds(zoneminder_t)
 
 files_read_etc_files(zoneminder_t)
 files_read_usr_files(zoneminder_t)
 
+auth_use_nsswitch(zoneminder_t)
+
+logging_send_syslog_msg(zoneminder_t)
+
 miscfiles_read_localization(zoneminder_t)
 
+optional_policy(`
+	mysql_stream_connect(zoneminder_t)
+')
+
 ########################################
 #
 # zoneminder cgi local policy
diff --git a/policy/modules/services/zoneminder.te~ b/policy/modules/services/zoneminder.te~
deleted file mode 100644
index a8e8efa1..00000000
--- a/policy/modules/services/zoneminder.te~
+++ /dev/null
@@ -1,69 +0,0 @@
-policy_module(zoneminder, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type zoneminder_t;
-type zoneminder_exec_t;
-init_daemon_domain(zoneminder_t, zoneminder_exec_t)
-
-permissive zoneminder_t;
-
-type zoneminder_initrc_exec_t;
-init_script_file(zoneminder_initrc_exec_t)
-
-type zoneminder_log_t;
-logging_log_file(zoneminder_log_t)
-
-type zoneminder_var_lib_t;
-files_type(zoneminder_var_lib_t)
-
-type zoneminder_spool_t;
-files_type(zoneminder_spool_t)
-
-########################################
-#
-# zoneminder local policy
-#
-
-allow zoneminder_t self:fifo_file rw_fifo_file_perms;
-allow zoneminder_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
-manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
-logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
-
-manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
-
-manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
-manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
-manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
-files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
-
-dev_read_sysfs(zoneminder_t)
-dev_read_urand(zoneminder_t)
-
-domain_use_interactive_fds(zoneminder_t)
-
-files_read_etc_files(zoneminder_t)
-files_read_usr_files(zoneminder_t)
-
-miscfiles_read_localization(zoneminder_t)
-
-########################################
-#
-# zoneminder cgi local policy
-#
-
-apache_content_template(zoneminder)
-
-permissive httpd_zoneminder_script_t;
-
-manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-zoneminder_stream_connect(httpd_zoneminder_script_t)
-