I'm am getting ready to try to attempt creating a policy for SELinux to allow ZM access to the various things that SELinux thinks it should not. I'm wondering if anyone is familuar with creating policies? If I can't get it there is a script to run text from the log though to create a policy but my understanding is that this has the potintual to leave big gaps in SElinux's security. Any one have some ideas?
Cordel
Okay I think I have a working SELinux targeted policy. It was acctually really easy.
I have started work on a strict policy and will be testing it shortly after I finnish the tests for the targeted policy . I will post all code on my FTP as soon as I know it will not break anything. So by next week maybe.
Cheers,
Cordel
I am a newby on ZoneMinder, but not on Linux. Been around since RH 5.x or something. Started with FC3 a few weeks ago (been too lazy to try before). I activated SELinux, knowing not much about consequences. Of course, you can turn it off, but the principles of SE looks to be O.K.
Main ZoneMinder components (MySQL, Apache + PHP) are working fine now, but my testmonitor does not show pictures of the installed webcam. In Gnomemeeting the webcam works like a charm. /var/messages shows many messages that look related to SELinux (but again, I have to catch up on this). I included an extract of ZM related log messages.
Could you share you ideas of solving this with a specific policy?
zmc_d0[4292]: INF [Debug Level = 0, Debug Log = <none>]
zmc_d0[4292]: ERR [Failed to set picture attributes: Invalid argument]
I was working on a policy but have been distracted from it lately. I have started work on a targeted policy and if you want to have a peek I can post it on my FTP so you can have a look.
I havn't compiled it yet so it would be source. I still have to learn the peticulars of it as well to make sure the I didn't open a huge door that would defeat the using SELinux as well. I do think I got most of it and sould clear all the avc errors.
I have posted the source at ftp://download.computerntelecom.com/pub ... 3/testing/
for anyone interested in helping out with this project. I got it started and have the correct macros listed and it is just a matter of creating the group for it and making the variables for that group. I'm almost finnished with some other projects that have pulled me away from this work but just in case some else understands SELinux policy's better than I, and would be willing to help out, I thought I'd make it available. I should be able to start in on it again in the next week or two.
Cheers,
Cordel
Last edited by cordel on Sat Apr 09, 2005 9:29 pm, edited 1 time in total.
3939663646337
It's better to keep your mouth shut and appear stupid than open it and remove all doubt.
-Mark Twain
One of our users has submitted to me policys to allow zm to run under SELinux I thought I would post to the forum for feedback.
The changes he has submitted would package the policys into the zm rpm and would be installed with the zm package. I was thinking of maybe changing the spec file to make this into a seperate package.
Originaly I was just going to repackage a targeted policy and plan on miantaining that package as this would be easy to do.
The concern I may have is that not all distros have SELinux conpiled into the kernel so one it would be extra installed (unless I split the package) and the changes in the spec file may not work on another distro so well and could make just one more thing to track.
I'll place the files on my FTP for anyone interested in reviewing and look forward to the pros and cons and any ideas.
Gab-SELinux.tar.gz
Cheers,
Cordel ftp://download.computerntelecom.com/pub ... /3/testing
Last edited by cordel on Sat Apr 09, 2005 9:31 pm, edited 1 time in total.
Finally found some time again. I've downloaded selinux-policy-targeted-1.17.30.tar.gz and found directory containing policy-1.17.31-CTU inside. I assume this contains sources for a ZM-adapted policy.
Unfortunaly I get an error while compiling the policy:
That is in the test dir because it is not finnished yet. I posted there in case someone wanted to help with it. I did get some help but this user put the policy as part of the zm build process and makes the policy part of the zm package. This would be fine except that I'm tring to make the package/spec more portable so that when I finnaly get my build machine together I can run the build for several distros/versions on the server. This way I send the server the source and it will produce all the binary packages with little effort.
I'll be working on that package again but it needs to be updated as well. I might just go with adding into the spec file so that it will only build for versions that support it so that it just adds the policys for zm as well but I haven't decided as of yet.
I have such a package built but haven't the time to test it.
Regards,
Cordel
I have disabled SELinux for the time being. ZM works like a charm now with my simple webcam (LogitechQuickCam Pro 4000). I'll try to get more knowledgeable on Policies, but is a rather heavy subject to digest in my little spare hours. Will keep track of this forum topic...
Any luck with SELinux policies for ZM?? I am currently setting up ZM on a Fedora core 6 machine with a Chinese 4 port bt848 type card. I would like to keep my machine tight and having SELinux running would be better. I wish I had a idea on how SELinux works but time doesn't allow for me to learn that as well. I have been using Linux for years but I don't have SELinux knowledge.
um, well ahh
I kinda dropped the ball on this one. SELinux has changed consierably since then so I'll have to see how things are being done now. Pretty much need to start over
creating a policy for SELinux to allow ZM access to the various things that SELinux thinks it should not. I'm wondering if anyone is familuar with creating policies? If I can't get it there is a script to run text from the log though to create a policy but my understanding is that this has the potintual to leave big gaps in SElinux's security. Any one have some ideas?
. I will post all code on my FTP as soon as I know it will not break anything. So by next week maybe.
