On Thu, 30 Aug 2007 14:56:48 -0400 John Griffiths <fedora01@xxxxxxxxxxx> wrote: > I am using the gallery2 tar ball from > http://codex.gallery2.org/Downloads ; it stays more up to date. They > have a policy for selinux, but the log still had AVCs in it and > denials that prevented gallery2 and specifically the watermark plugin > from working. File and directory permissions were an issue. One of > the directories is shared by samba so it has the context of > public_content_rw_t. > > I used audit2allow to get things working, but I would like someone > more knowledgeable than me to take a look as see if I have opened any > gaping holes and if so, how to best address the issue. > > > policy_module(gallery, 1.0) > > require { > type unlabeled_t; > type httpd_t; > type httpd_tmp_t; > type httpd_sys_script_t; > type public_content_rw_t; > class file { read write unlink }; > class dir { write remove_name add_name }; > } > > #============= httpd_sys_script_t ============== > allow httpd_sys_script_t unlabeled_t:file { read write }; There shouldn't be any unlabeled files around; the policy should ensure that any files used or created by gallery are labeled properly. If that's done, this rule shouldn't be needed. > allow httpd_sys_script_t file { getattr read }; Not sure about this one. What are the httpd_tmp_t files that gallery is trying to read? > #============= httpd_t ============== > allow httpd_t public_content_rw_t:dir { write remove_name > add_name }; allow httpd_t public_content_rw_t:file unlink; Setting the allow_httpd_anon_write boolean should remove the need for these rules. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
