SUCCESS- Zoneminder 1.24.1 from source on FC8 with selinux

[skydreamer]

It was a royal pain to get the zoneminder 1.24.1 working on FC8 and have the selinux running at the same time.

Because of the selinux the zoneminder must be compiled to the directories that were used by the previous version of zoneminder's rpm. So after inspecting the structure of zoneminder-1.23.3-2.fc10.i386.rpm I came up with the following configure options:

./configure --prefix=/usr --sysconfdir=/etc --with-webdir=/usr/share/zoneminder/www --with-cgidir=/usr/libexec/zoneminder/cgi-bin --with-ffmpeg=/usr/bin ZM_DB_HOST=localhost ZM_DB_NAME=zm ZM_DB_USER=zmuser ZM_DB_PASS=zmpass --enable-debug=yes --with-webgroup=apache --with-webuser=apache ZM_SSL_LIB=openssl

It is recommended to use the latest ffmpeg library so prior to compiling zoneminder it can be configured using:
./configure --enable-gpl --enable-shared --enable-pthreads --prefix=/usr
and installed.

The above should work for any Fedora Core distro.

After the successful compilation and installation you should copy the startup script and also shortcuts to the web directory from the above FC10 rpm otherwise you will hit the wall of selinux restrictions.

Even with this setup I still had to add the selinux policy from the documentation on Wiki and create another one:

module zm1 1.0;

require {
type unconfined_t;
type unconfined_tmpfs_t;
type usr_t;
type ping_t;
type initrc_su_t;
type file_t;
type httpd_t;
type initrc_t;
type var_log_t;
type public_content_rw_t;
type xauth_exec_t;
class unix_stream_socket { read write connectto };
class udp_socket { read write };
class tcp_socket { read write };
class file { write execute read create unlink getattr append };
class sock_file { write create unlink getattr };
class shm { write unix_read getattr unix_write associate read };
class dir { read create write rmdir remove_name add_name };
}

#============= httpd_t ==============
allow httpd_t file_t:dir { read write create add_name };
allow httpd_t file_t:file { write read getattr create };
allow httpd_t public_content_rw_t:dir { write remove_name create add_name rmdir };
allow httpd_t public_content_rw_t:file { write create unlink };
allow httpd_t public_content_rw_t:sock_file { write create unlink getattr };
allow httpd_t unconfined_t:shm { write unix_read getattr unix_write associate read };
allow httpd_t unconfined_t:unix_stream_socket connectto;
allow httpd_t unconfined_tmpfs_t:file { read write };

#============= initrc_su_t ==============
allow initrc_su_t initrc_t:unix_stream_socket { read write };
allow initrc_su_t xauth_exec_t:file execute;

#============= ping_t ==============
allow ping_t initrc_t:tcp_socket { read write };
allow ping_t initrc_t:udp_socket { read write };
allow ping_t usr_t:file read;
allow ping_t var_log_t:file { read append };

With both policies loaded you may still not be able to run the zoneminder and I would recommend to use the GUI troubleshooting tool which will generate hints, I had to relabel a dozen of library files before the selinux settled down.

The whole journey to the full working monitoring system took approximately 5 days; 5 hours each day and this is without any previous knowledge of zoneminder.

It is a wonderful piece of software, I am actually quite amazed by the wealth of features in it. Well done.

Peter

[zoneminder]

Thanks for that. I've never quite figured out selinux but maybe I'll give it a try with these settings.