Dear Lukas and Petr,
I have made fixes to the Zoneminder Policy module. Zoneminder will not start with the current one.
Also I took them liberty to add two bools, one for email sending, because Zoneminder can send emails with images, when an alarm event was detected on a camera, and another boolean for ftp access, as Zoneminder can upload alarm events to a ftp, for safe keeping, in case somebody burgles your house and steals your CCTV gear.
It can also use sftp, but not sure I would really like to add a port for that. But if you would like to add that option, I would leave that up to you.
If you could be so kind, to look over the additions, I suspect, there might be a few things in there, one might want to avoid, or require labelling. Or ways to make it more secure.
Policy additions below(Will require merging into existing policy):
module zoneminder2018 1.3;
require { type sysfs_t; type zoneminder_script_t; type zoneminder_var_lib_t; type zoneminder_t; type v4l_device_t; type init_var_run_t; type cert_t; type httpd_t; type syslogd_t; type zoneminder_tmpfs_t; type smtp_port_t; type tmpfs_t; type ftp_port_t; type ephemeral_port_t; class file { create getattr lock map open read unlink write }; class chr_file map; class lnk_file read; class dir { create read rmdir search write add_name }; class unix_dgram_socket sendto; class sock_file { create unlink }; class process { noatsecure rlimitinh siginh }; class tcp_socket name_connect; }
bool zoneminder_can_sendmail false; bool zoneminder_can_ftp false;
#============= httpd_t ============== #allow httpd_t zoneminder_script_t:process { noatsecure rlimitinh siginh };
#Flagged, but not required.
allow httpd_t zoneminder_tmpfs_t:file map; allow httpd_t zoneminder_tmpfs_t:file { getattr open read write }; allow httpd_t zoneminder_var_lib_t:sock_file { create unlink };
#============= syslogd_t ==============
allow syslogd_t init_var_run_t:lnk_file read;
#============= zoneminder_script_t ==============
allow zoneminder_script_t cert_t:dir search; allow zoneminder_script_t cert_t:file { getattr open read }; allow zoneminder_script_t httpd_t:unix_dgram_socket sendto; allow zoneminder_script_t init_var_run_t:dir search; allow zoneminder_script_t sysfs_t:dir read; allow zoneminder_script_t sysfs_t:file { getattr open read }; allow zoneminder_script_t zoneminder_tmpfs_t:file map; allow zoneminder_script_t zoneminder_var_lib_t:dir { create rmdir }; allow zoneminder_script_t zoneminder_var_lib_t:file { create getattr lock open read unlink write }; allow zoneminder_script_t tmpfs_t:dir { add_name write };
#============= zoneminder_t ============== if (zoneminder_can_sendmail) { allow zoneminder_t smtp_port_t:tcp_socket name_connect; } #add ftp and sftp here #sftp needs some extra work I guess. if (zoneminder_can_ftp) { allow zoneminder_t ftp_port_t:tcp_socket name_connect; allow zoneminder_t ephemeral_port_t:tcp_socket name_connect; }
allow zoneminder_t v4l_device_t:chr_file map; allow zoneminder_t zoneminder_tmpfs_t:file map;