[CentOS] Work-around proposal for disabling Selinux partially
Posted: Thu Aug 25, 2016 2:48 pm
Since README.Centos7 requires me to disable Selinux, but my other services are running confined on my machine, I was looking for a way to disable Selinux for Zoneminder only. Folks at #selinux on Freenode suggested putting the types zoneminder_t and zoneminder_script_t in an unconfined domain. See the code for how it is done.
Zoneminder is running smoothly and there are no more error messages in the audit.log so far. I have tested starting, stopping the services, editing and opening the cameras and browsing events. However, httpd_t is of course still running confined, which means that PHP scripts doing things on behalf of Zoneminder may still get blocked.
I should mention that there is also the possibility to make the domain permissive (# yum install policycoreutils-python && semanage permissive -a zoneminder_t ...), which seems easier, because we do not need to write the type enforcement file (.te). But that approach does not keep audit from logging all the would-be avc denials. Compare http://danwalsh.livejournal.com/42394.html
Hopefully this makes a doable compromise between writing a fully-fledged, accurate policy and giving up the mitigation services of Selinux altogether.
edit: replaced link by unlink in last line of zoneminder_unconfined.te
Zoneminder is running smoothly and there are no more error messages in the audit.log so far. I have tested starting, stopping the services, editing and opening the cameras and browsing events. However, httpd_t is of course still running confined, which means that PHP scripts doing things on behalf of Zoneminder may still get blocked.
I should mention that there is also the possibility to make the domain permissive (# yum install policycoreutils-python && semanage permissive -a zoneminder_t ...), which seems easier, because we do not need to write the type enforcement file (.te). But that approach does not keep audit from logging all the would-be avc denials. Compare http://danwalsh.livejournal.com/42394.html
Hopefully this makes a doable compromise between writing a fully-fledged, accurate policy and giving up the mitigation services of Selinux altogether.
Code: Select all
# yum install selinux-policy-devel # needed for the Makefile
# cat > zoneminder_unconfined.te << END
> policy_module(zoneminder_unconfined, 0.1)
>
> gen_require(`
> type zoneminder_script_t;
> type zoneminder_t;
> type zoneminder_var_lib_t;
> type httpd_t;
> class sock_file { create read write unlink };
> ')
>
> optional_policy(`
> unconfined_domain(zoneminder_script_t)
> unconfined_domain(zoneminder_t)
> ')
>
> allow httpd_t zoneminder_var_lib_t:sock_file { create read write unlink };
> END
# make -f /usr/share/selinux/devel/Makefile # create Selinux-package (*.pp)
# semodule -i zoneminder_unconfined.pp # install package
# semodule -l | grep zoneminder # check install
zoneminder 1.0.0
zoneminder_unconfined 0.1
# systemctl start zoneminder
# # goof around with zoneminder web interface
# systemctl stop zoneminder
# ausearch -ts recent
# # optionally
# yum install policycoreutils-python # needed for audit2allow
# ausearch -ts recent | audit2allow