Eric Paris wrote:
On Thu, 2007-08-30 at 21:09 +0100, Paul Howarth wrote:
On Thu, 30 Aug 2007 14:56:48 -0400
John Griffiths <fedora01@xxxxxxxxxxx> wrote:
policy_module(gallery, 1.0)
require {
type unlabeled_t;
type httpd_t;
type httpd_tmp_t;
type httpd_sys_script_t;
type public_content_rw_t;
class file { read write unlink };
class dir { write remove_name add_name };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t unlabeled_t:file { read write };
There shouldn't be any unlabeled files around; the policy should ensure
that any files used or created by gallery are labeled properly. If
that's done, this rule shouldn't be needed.
Regardless of the correctness of the gellery2 policy unlabeled_t is
(almost) always a bug on one kind or another. Did you create some files
with selinux completely disabled rather than just permissive? Do you
have these files on a filesystem policy knows nothing about (typically a
new FUSE filesystem)
Tracking down what files are unlabeled_t and how they got that way is
the solution, no rules should allow unlabeled_t
Thanks. I suspected that was a problem. I'll find the unlabeled_t files
and see what they are. Strange though, I had just done a touch
/.autorelabel and rebooted a couple of days before.
Regards,
John
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
