ZoneMinder Forums

I'm am getting ready to try to attempt creating a policy for SELinux to allow ZM access to the various things that SELinux thinks it should not. I'm wondering if anyone is familuar with creating policies? If I can't get it there is a script to run text from the log though to create a policy but my understanding is that this has the potintual to leave big gaps in SElinux's security. Any one have some ideas?
Cordel

Okay I think I have a working SELinux targeted policy. It was acctually really easy.
I have started work on a strict policy and will be testing it shortly after I finnish the tests for the targeted policy . I will post all code on my FTP as soon as I know it will not break anything. So by next week maybe.
Cheers,
Cordel

I am a newby on ZoneMinder, but not on Linux. Been around since RH 5.x or something. Started with FC3 a few weeks ago (been too lazy to try before). I activated SELinux, knowing not much about consequences. Of course, you can turn it off, but the principles of SE looks to be O.K.

Main ZoneMinder components (MySQL, Apache + PHP) are working fine now, but my testmonitor does not show pictures of the installed webcam. In Gnomemeeting the webcam works like a charm. /var/messages shows many messages that look related to SELinux (but again, I have to catch up on this). I included an extract of ZM related log messages.

Could you share you ideas of solving this with a specific policy?


zmc_d0[4292]: INF [Debug Level = 0, Debug Log = <none>]
zmc_d0[4292]: ERR [Failed to set picture attributes: Invalid argument]

kernel: audit(1110149873.381:0): avc: denied { ioctl } for pid=4304 exe=/usr/bin/perl path=/var/log/httpd/error_log dev=hda7 ino=32757 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_log_t tclass=file

kernel: audit(1110149873.518:0): avc: denied { write } for pid=4304 exe=/usr/bin/perl name=zmdc.sock dev=hda5 ino=665370 scontext=root:system_r:httpd_sys_script_t tcontext=user_u:object_r:tmp_t tclass=sock_file

I was working on a policy but have been distracted from it lately. I have started work on a targeted policy and if you want to have a peek I can post it on my FTP so you can have a look.

zmc_d0[4292]: ERR [Failed to set picture attributes: Invalid argument]

is not a SELinux problem. Check the FAQ section for details about how to address it. You might find that's all you've got wrong.

Phil

Phil

Thanks, your tip indeed solved the first messages (although the option is under menu Config and not Video as mentioned in the FAQ!).

var/log/messages is now flooded with a new message:

Mar 7 21:38:17 akns001 zmc_d0[5124]: ERR [Sync failure for frame 0: Invalid argument]
Mar 7 21:38:17 akns001 zmc_d0[5124]: ERR [Capture failure for frame 0: Invalid argument]

I'll have another look into the forums for this one, but tips are welcome of course.

Cordel: Yes, I am interested in your policy work. If you post it on your FTP site I'll test it (could be after my holidays of 1,5 week though).

Arjan

I havn't compiled it yet so it would be source. I still have to learn the peticulars of it as well to make sure the I didn't open a huge door that would defeat the using SELinux as well. I do think I got most of it and sould clear all the avc errors.

I have posted the source at
ftp://download.computerntelecom.com/pub ... 3/testing/
for anyone interested in helping out with this project. I got it started and have the correct macros listed and it is just a matter of creating the group for it and making the variables for that group. I'm almost finnished with some other projects that have pulled me away from this work but just in case some else understands SELinux policy's better than I, and would be willing to help out, I thought I'd make it available. I should be able to start in on it again in the next week or two.
Cheers,
Cordel

One of our users has submitted to me policys to allow zm to run under SELinux I thought I would post to the forum for feedback.
The changes he has submitted would package the policys into the zm rpm and would be installed with the zm package. I was thinking of maybe changing the spec file to make this into a seperate package.
Originaly I was just going to repackage a targeted policy and plan on miantaining that package as this would be easy to do.
The concern I may have is that not all distros have SELinux conpiled into the kernel so one it would be extra installed (unless I split the package) and the changes in the spec file may not work on another distro so well and could make just one more thing to track.
I'll place the files on my FTP for anyone interested in reviewing and look forward to the pros and cons and any ideas.
Gab-SELinux.tar.gz
Cheers,
Cordel
ftp://download.computerntelecom.com/pub ... /3/testing

Cordel,

Finally found some time again. I've downloaded selinux-policy-targeted-1.17.30.tar.gz and found directory containing policy-1.17.31-CTU inside. I assume this contains sources for a ZM-adapted policy.

Unfortunaly I get an error while compiling the policy: Maybe an easy fix is possible (adding httpd_sys_script_t somewhere in a types table?), but I am too green on policies to solve this.

Do you have any hints on this one? Thanks.

Arjan.

That is in the test dir because it is not finnished yet. I posted there in case someone wanted to help with it. I did get some help but this user put the policy as part of the zm build process and makes the policy part of the zm package. This would be fine except that I'm tring to make the package/spec more portable so that when I finnaly get my build machine together I can run the build for several distros/versions on the server. This way I send the server the source and it will produce all the binary packages with little effort.
I'll be working on that package again but it needs to be updated as well. I might just go with adding into the spec file so that it will only build for versions that support it so that it just adds the policys for zm as well but I haven't decided as of yet.
I have such a package built but haven't the time to test it.
Regards,
Cordel

Ok, thanks anyway.

I have disabled SELinux for the time being. ZM works like a charm now with my simple webcam (LogitechQuickCam Pro 4000). I'll try to get more knowledgeable on Policies, but is a rather heavy subject to digest in my little spare hours. Will keep track of this forum topic...

Any luck with SELinux policies for ZM?? I am currently setting up ZM on a Fedora core 6 machine with a Chinese 4 port bt848 type card. I would like to keep my machine tight and having SELinux running would be better. I wish I had a idea on how SELinux works but time doesn't allow for me to learn that as well. I have been using Linux for years but I don't have SELinux knowledge.

Cheers
Michael Smith

um, well ahh
I kinda dropped the ball on this one. SELinux has changed consierably since then so I'll have to see how things are being done now. Pretty much need to start over