Re: gallery2 policy

[John Griffiths <fedora01@xxxxxxxxxxx>]

Did a re-installation of gallery2 after modifying the policy to remove 
the unlabeled_t rule and enabling the seboolean allow_httpd_anon_write 
and removing the two rules allow httpd_t public_content_rw_t:dir { write 
remove_name add_name }; allow httpd_t public_content_rw_t:file unlink;.

New policy is:

   policy_module(gallery, 1.0.3)

   require {
           type tmp_t;
           type httpd_t;
           type httpd_tmp_t;
           type httpd_sys_script_t;
           class file { read write unlink getattr };
           class dir { write remove_name add_name };
   }

   #============= httpd_sys_script_t ==============
   allow httpd_sys_script_t httpd_tmp_t:file { getattr read };

   #============= httpd_t ==============
   allow httpd_t tmp_t:file { read getattr };


It is the watermark package that is trying to do things with the 
unlabeled_t context. Here are the AVCs.

   Aug 31 13:01:54 gei kernel: audit(1188579714.051:139): avc:  denied 
   { read write } for  pid=885 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.067:140): avc:  denied 
   { read write } for  pid=887 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.080:141): avc:  denied 
   { read write } for  pid=889 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.093:142): avc:  denied 
   { read write } for  pid=891 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.105:143): avc:  denied 
   { read write } for  pid=893 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.119:144): avc:  denied 
   { read write } for  pid=895 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.132:145): avc:  denied 
   { read write } for  pid=897 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.144:146): avc:  denied 
   { read write } for  pid=899 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.158:147): avc:  denied 
   { read write } for  pid=901 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.171:148): avc:  denied 
   { read write } for  pid=903 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
   Aug 31 13:01:54 gei kernel: audit(1188579714.184:149): avc:  denied 
   { read write } for  pid=905 comm="sh" name="[eventpoll]"
   dev=anon_inodefs ino=289
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

So what choices do I have?

Regards,
John

John Griffiths wrote:
> > >     allow httpd_sys_script_t file { getattr read };
> > >     
> >
> > Not sure about this one. What are the httpd_tmp_t files that gallery is
> > trying to read?
> >
> >   
> Gallery2 watermark plugin uses graphic packages such as NetPbm, 
> ImageMagick, Dcraw, ffmpeg, GD to convert graphic files and re-write 
> them with a watermark image superimposed on them. The typical AVC for 
> getattr and read are:
>
>    Aug 25 18:06:46 gei kernel: audit(1188079606.937:995): avc:  denied 
>    { getattr } for  pid=19252 comm="composite" name="kohokan_com_png"
>    dev=dm-0 ino=2163199
>    scontext=system_u:system_r:httpd_sys_script_t:s0
>    tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
>    .
>    .
>    .
>    Aug 25 19:07:04 gei kernel: audit(1188083224.885:1066): avc:    
> denied  { read } for  pid=19870 comm="pngtopnm"
>    name="kohokan_com_png" dev=dm-0 ino=2163199
>    scontext=system_u:system_r:httpd_sys_script_t:s0
>    tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
>
> The kohokan.com.png is a watermark file that is uploaded through the 
> web interface.
>
> > >     #============= httpd_t ==============
> > >     allow httpd_t public_content_rw_t:dir { write remove_name
> > > add_name }; allow httpd_t public_content_rw_t:file unlink;
> > >     
> >
> > Setting the allow_httpd_anon_write boolean should remove the need for
> > these rules.
> >   
> Thanks. Rules removed and boolean set.
> > Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list