Re: gallery2 policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2007-08-30 at 21:09 +0100, Paul Howarth wrote:
> On Thu, 30 Aug 2007 14:56:48 -0400
> John Griffiths <fedora01@xxxxxxxxxxx> wrote:

> >     policy_module(gallery, 1.0)
> > 
> >     require {
> >             type unlabeled_t;
> >             type httpd_t;
> >             type httpd_tmp_t;
> >             type httpd_sys_script_t;
> >             type public_content_rw_t;
> >             class file { read write unlink };
> >             class dir { write remove_name add_name };
> >     }
> > 
> >     #============= httpd_sys_script_t ==============
> >     allow httpd_sys_script_t unlabeled_t:file { read write };
> 
> There shouldn't be any unlabeled files around; the policy should ensure
> that any files used or created by gallery are labeled properly. If
> that's done, this rule shouldn't be needed.

Regardless of the correctness of the gellery2 policy unlabeled_t is
(almost) always a bug on one kind or another.  Did you create some files
with selinux completely disabled rather than just permissive?  Do you
have these files on a filesystem policy knows nothing about (typically a
new FUSE filesystem)

Tracking down what files are unlabeled_t and how they got that way is
the solution, no rules should allow unlabeled_t


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux