++## Allow ZoneMinder to run su/sudo. ++##
++##+## Allow ZoneMinder to modify public files +## used for public file transfer services. +##
@@ -78735,7 +78897,8 @@ index 0000000..a98b795 +manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file }) ++manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file }) + +manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) +manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) @@ -78748,6 +78911,8 @@ index 0000000..a98b795 + +kernel_read_system_state(zoneminder_t) + ++domain_read_all_domains_state(zoneminder_t) ++ +corecmd_exec_bin(zoneminder_t) +corecmd_exec_shell(zoneminder_t) + @@ -78761,16 +78926,45 @@ index 0000000..a98b795 +dev_read_video_dev(zoneminder_t) +dev_write_video_dev(zoneminder_t) + -+files_read_usr_files(zoneminder_t) -+ +auth_use_nsswitch(zoneminder_t) + +logging_send_syslog_msg(zoneminder_t) ++logging_send_audit_msgs(zoneminder_t) ++ ++mta_send_mail(zoneminder_t) + +tunable_policy(`zoneminder_anon_write',` + miscfiles_manage_public_files(zoneminder_t) +') + ++tunable_policy(`zoneminder_run_sudo',` ++ allow zoneminder_t self:capability { setrlimit setuid setgid sys_resource } ++ allow zoneminder_t self:key write; ++ allow zoneminder_t self:process setsched; ++ allow zoneminder_t self:passwd rootok; ++ ++ auth_rw_lastlog(zoneminder_t) ++ ++ selinux_compute_access_vector(zoneminder_t) ++ ++ systemd_write_inherited_logind_sessions_pipes(zoneminder_t) ++ systemd_dbus_chat_logind(zoneminder_t) ++ ++ xserver_exec_xauth(zoneminder_t) ++') ++ ++optional_policy(` ++ tunable_policy(`zoneminder_run_sudo',` ++ dbus_system_bus_client(zoneminder_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`zoneminder_run_sudo',` ++ sudo_exec(zoneminder_t) ++ su_exec(zoneminder_t) ++ ') ++') +optional_policy(` + mysql_stream_connect(zoneminder_t) +') @@ -78787,7 +78981,12 @@ index 0000000..a98b795 + #allow httpd_zoneminder_script_t self:shm create_shm_perms; + + manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++ ++ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++ + zoneminder_stream_connect(httpd_zoneminder_script_t) ++ ++ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t) + + files_search_var_lib(httpd_zoneminder_script_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 0b52254..9b115ed 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 98%{?dist} +Release: 99%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,40 @@ SELinux Reference policy mls base module. %endif %Changelog +* Fri Aug 2 2013 Miroslav Grepl