From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 28 Dec 2011 13:48:42 +0000 (-0500)
Subject: Updated policy for zoneminder
X-Git-Tag: 000~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ef000b6831ab371afdb7f5e3c82ee402bdc8a52;p=people%2Fstevee%2Fselinux-policy.git

Updated policy for zoneminder
---

0ef000b6831ab371afdb7f5e3c82ee402bdc8a52
diff --cc policy/modules/services/zoneminder.te
index bcfd3372,293f8077..bcbe09fc
--- a/policy/modules/services/zoneminder.te
+++ b/policy/modules/services/zoneminder.te
@@@ -31,10 -36,12 +39,11 @@@ files_pid_file(zoneminder_var_run_t
  #
  # zoneminder local policy
  #
 -
 -allow zoneminder_t self:process signal_perms;
 -
 +allow zoneminder_t self:capability { chown dac_override };
 +allow zoneminder_t self:process { signal_perms setpgid };
+ allow zoneminder_t self:shm create_shm_perms;
  allow zoneminder_t self:fifo_file rw_fifo_file_perms;
 -allow zoneminder_t self:unix_stream_socket create_stream_socket_perms;
 +allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
  manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
  manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
@@@ -59,11 -61,12 +68,15 @@@ manage_files_pattern(zoneminder_t, zone
  manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
  files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
  
 +kernel_read_system_state(zoneminder_t)
 +
+ corecmd_exec_bin(zoneminder_t)
+ corecmd_exec_shell(zoneminder_t)
+ 
  dev_read_sysfs(zoneminder_t)
+ dev_read_rand(zoneminder_t)
  dev_read_urand(zoneminder_t)
 +dev_read_video_dev(zoneminder_t)
  
  domain_use_interactive_fds(zoneminder_t)
  
@@@ -76,8 -79,16 +89,12 @@@ logging_send_syslog_msg(zoneminder_t
  
  miscfiles_read_localization(zoneminder_t)
  
+ tunable_policy(`zoneminder_anon_write',`
+ 	miscfiles_manage_public_files(zoneminder_t)
+ ')
+ 
  optional_policy(`
 -    mysql_stream_connect(zoneminder_t)
 -')
 -
 -optional_policy(`
 -	sysnet_read_config(zoneminder_t)
 +	mysql_stream_connect(zoneminder_t)
  ')
  
  ########################################
@@@ -85,7 -96,21 +102,21 @@@
  # zoneminder cgi local policy
  #
  
- apache_content_template(zoneminder)
+ optional_policy(`
+ 	apache_content_template(zoneminder)
+ 
+ 	# need more testing
+ 	#allow httpd_zoneminder_script_t self:shm create_shm_perms;
+ 
+ 	manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+ 	zoneminder_stream_connect(httpd_zoneminder_script_t)
+ 	
+ 	files_search_var_lib(httpd_zoneminder_script_t)
+ 
+ 	logging_send_syslog_msg(httpd_zoneminder_script_t)
  
- manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
- zoneminder_stream_connect(httpd_zoneminder_script_t)
+ 	optional_policy(`
 -    	mysql_stream_connect(httpd_zoneminder_script_t)
++	    	mysql_stream_connect(httpd_zoneminder_script_t)
+ 	')
+ 
+ ')