Bug 1592555

Summary: Zoneminder policy in SELinux still prevents Zoneminder from working
Product: [Fedora] Fedora Reporter: Tristan Santore <tristan.santore>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 28CC: dwalsh, kevin.vanhooren, lvrabec, mgrepl, plautrba, pmoore, tristan.santore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-36.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-29 03:23:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Ausearch Recent, with httpd_t, zoneminder_t and zoneminder_script_t set to permissive none

Description Tristan Santore 2018-06-18 20:05:12 UTC 
Created attachment 1452723 [details]
Ausearch Recent, with httpd_t, zoneminder_t and zoneminder_script_t set to permissive

Description of problem:
1.Zoneminder will not start, meaning the source (cameras) are inaccessible and blurred out.
2. Email cannot be sent, if an event is detected and an alarm email is to be sent.
3. FTP uploads to off-site location will not work.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-32.fc28.noarch

How reproducible:
Install zoneminder and set up. Zoneminder starts, but web interface cannot access camera feeds, send email, upload to ftp.

Additional info:

zoneminder.service - ZoneMinder CCTV recording and security system
   Loaded: loaded (/usr/lib/systemd/system/zoneminder.service; enabled; vendor >
   Active: active (running) since Mon 2018-06-18 20:04:47 BST; 20min ago
  Process: 891 ExecStop=/usr/bin/zmpkg.pl stop (code=exited, status=0/SUCCESS)
  Process: 933 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=0/SUCCESS)
 Main PID: 942 (zmdc.pl)
    Tasks: 20 (limit: 4915)
   Memory: 818.3M
   CGroup: /system.slice/zoneminder.service
           ├─ 942 /usr/bin/perl -wT /usr/bin/zmdc.pl startup
           ├─ 972 /usr/bin/zmc -d /dev/video2
           ├─ 976 /usr/bin/zma -m 1
           ├─ 985 /usr/bin/zmc -d /dev/video0
           ├─ 993 /usr/bin/zma -m 2
           ├─1001 /usr/bin/zmc -d /dev/video4
           ├─1007 /usr/bin/zma -m 9
           ├─1016 /usr/bin/zmc -d /dev/video3
    Tasks: 20 (limit: 4915)
   Memory: 818.3M
   CGroup: /system.slice/zoneminder.service
           ├─ 942 /usr/bin/perl -wT /usr/bin/zmdc.pl startup
           ├─ 972 /usr/bin/zmc -d /dev/video2
           ├─ 976 /usr/bin/zma -m 1
           ├─ 985 /usr/bin/zmc -d /dev/video0
           ├─ 993 /usr/bin/zma -m 2
           ├─1001 /usr/bin/zmc -d /dev/video4
           ├─1007 /usr/bin/zma -m 9
           ├─1016 /usr/bin/zmc -d /dev/video3
    Tasks: 20 (limit: 4915)
   Memory: 818.3M
   CGroup: /system.slice/zoneminder.service
           ├─ 942 /usr/bin/perl -wT /usr/bin/zmdc.pl startup
           ├─ 972 /usr/bin/zmc -d /dev/video2
           ├─ 976 /usr/bin/zma -m 1
           ├─ 985 /usr/bin/zmc -d /dev/video0
           ├─ 993 /usr/bin/zma -m 2
           ├─1001 /usr/bin/zmc -d /dev/video4
           ├─1007 /usr/bin/zma -m 9
           ├─1016 /usr/bin/zmc -d /dev/video3
           ├─1029 /usr/bin/zma -m 13
           ├─1043 /usr/bin/zmc -d /dev/video1
           ├─1049 /usr/bin/zmc -d /dev/video7
           ├─1056 /usr/bin/zma -m 17
           ├─1062 /usr/bin/zmc -d /dev/video6
           ├─1068 /usr/bin/zma -m 18
           ├─1074 /usr/bin/zmc -d /dev/video5
           ├─1080 /usr/bin/zma -m 19
           ├─1082 /usr/bin/perl -wT /usr/bin/zmfilter.pl
           ├─1088 /usr/bin/perl -wT /usr/bin/zmaudit.pl -c
           ├─1092 /usr/bin/perl -wT /usr/bin/zmwatch.pl
           └─1099 /usr/bin/perl -w /usr/bin/zmtelemetry.pl


for file in `rpm -ql zoneminder|grep bin`;do ls -alZ $file; done
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1282544 Mar  9 02:41 /usr/bin/zma
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 23184 Mar  9 02:39 /usr/bin/zmaudit.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1286832 Mar  9 02:41 /usr/bin/zmc
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 13606 Mar  9 02:39 /usr/bin/zmcamtool.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 7017 Mar  9 02:39 /usr/bin/zmcontrol.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 23120 Mar  9 02:39 /usr/bin/zmdc.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1290728 Mar  9 02:41 /usr/bin/zmf
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 31800 Mar  9 02:39 /usr/bin/zmfilter.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 11705 May  9  2017 /usr/bin/zmonvif-probe.pl
-rwxr-xr-x. 1 root root system_u:object_r:zoneminder_exec_t:s0 13689 Mar  9 02:39 /usr/bin/zmpkg.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 2150 Mar  9 02:39 /usr/bin/zmsystemctl.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 11737 Mar  9 02:39 /usr/bin/zmtelemetry.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 5940 Mar  9 02:39 /usr/bin/zmtrack.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 19173 Mar  9 02:39 /usr/bin/zmtrigger.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1308472 Mar  9 02:41 /usr/bin/zmu
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 44649 Mar  9 02:39 /usr/bin/zmupdate.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 7748 Mar  9 02:39 /usr/bin/zmvideo.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 6706 Mar  9 02:39 /usr/bin/zmwatch.pl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 24511 Mar  9 02:39 /usr/bin/zmx10.pl
total 1280
drwxr-xr-x. 2 root root system_u:object_r:zoneminder_script_exec_t:s0    4096 Jun 12 11:58 .
drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0                       4096 Mar  9 02:41 ..
lrwxrwxrwx. 1 root root system_u:object_r:zoneminder_script_exec_t:s0       3 Mar  9 02:41 nph-zms -> zms
-rwxr-xr-x. 1 root root system_u:object_r:zoneminder_script_exec_t:s0 1299240 Mar  9 02:41 zms
lrwxrwxrwx. 1 root root system_u:object_r:zoneminder_script_exec_t:s0 3 Mar  9 02:41 /usr/libexec/zoneminder/cgi-bin/nph-zms -> zms
-rwxr-xr-x. 1 root root system_u:object_r:zoneminder_script_exec_t:s0 1299240 Mar  9 02:41 /usr/libexec/zoneminder/cgi-bin/zms


################################################################
Zoneminder Policy Module
################################################################


Zoneminder makes extensive use of sockets, in order to facilitate compartmentalisation.

This is the module I sent to fix, but I suspect we need to be a bit more specific.

module zoneminder2018 1.3;

require {
        type sysfs_t;
        type zoneminder_script_t;
        type zoneminder_var_lib_t;
        type zoneminder_t;
        type v4l_device_t;
        type init_var_run_t;
        type cert_t;
        type httpd_t;
        type syslogd_t;
        type zoneminder_tmpfs_t;
        type smtp_port_t;
        type tmpfs_t;
        type ftp_port_t;
        type ephemeral_port_t;
        class file { create getattr lock map open read unlink write };
        class chr_file map;
        class lnk_file read;
        class dir { create read rmdir search write add_name };
        class unix_dgram_socket sendto;
        class sock_file { create unlink };
        class process { noatsecure rlimitinh siginh };
        class tcp_socket name_connect;
}

bool zoneminder_can_sendmail false;
bool zoneminder_can_ftp false;

#============= httpd_t ==============
#allow httpd_t zoneminder_script_t:process { noatsecure rlimitinh siginh };

#Flagged, but not required.

allow httpd_t zoneminder_tmpfs_t:file map;
allow httpd_t zoneminder_tmpfs_t:file { getattr open read write };
allow httpd_t zoneminder_var_lib_t:sock_file { create unlink };

#============= syslogd_t ==============

allow syslogd_t init_var_run_t:lnk_file read;

#============= zoneminder_script_t ==============

allow zoneminder_script_t cert_t:dir search;
allow zoneminder_script_t cert_t:file { getattr open read };
allow zoneminder_script_t httpd_t:unix_dgram_socket sendto;
allow zoneminder_script_t init_var_run_t:dir search;
allow zoneminder_script_t sysfs_t:dir read;
allow zoneminder_script_t sysfs_t:file { getattr open read };
allow zoneminder_script_t zoneminder_tmpfs_t:file map;
allow zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir };
allow zoneminder_script_t zoneminder_var_lib_t:file { create getattr lock open read unlink write };
allow zoneminder_script_t tmpfs_t:dir { add_name write };

#============= zoneminder_t ==============
if (zoneminder_can_sendmail) {
allow zoneminder_t smtp_port_t:tcp_socket name_connect;
}
#add ftp and sftp here
#sftp needs some extra work I guess.
if (zoneminder_can_ftp) {
allow zoneminder_t ftp_port_t:tcp_socket name_connect;
allow zoneminder_t ephemeral_port_t:tcp_socket name_connect;
}

allow zoneminder_t v4l_device_t:chr_file map;
allow zoneminder_t zoneminder_tmpfs_t:file map;
Comment 1 Fedora Update System 2018-07-25 22:29:34 UTC 
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
Comment 2 Fedora Update System 2018-07-26 16:31:50 UTC 
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
Comment 3 Fedora Update System 2018-07-29 03:23:41 UTC 
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Kevin Vanhooren 2019-05-27 04:17:57 UTC 
Is there still no solution for this problem? I have the same problemen running Fedora 30 server version