gallery2 policy
Paul Howarth
paul at city-fan.org
Thu Aug 30 20:09:38 UTC 2007
On Thu, 30 Aug 2007 14:56:48 -0400
John Griffiths <fedora01 at grifent.com> wrote:
> I am using the gallery2 tar ball from
> http://codex.gallery2.org/Downloads ; it stays more up to date. They
> have a policy for selinux, but the log still had AVCs in it and
> denials that prevented gallery2 and specifically the watermark plugin
> from working. File and directory permissions were an issue. One of
> the directories is shared by samba so it has the context of
> public_content_rw_t.
>
> I used audit2allow to get things working, but I would like someone
> more knowledgeable than me to take a look as see if I have opened any
> gaping holes and if so, how to best address the issue.
>
>
> policy_module(gallery, 1.0)
>
> require {
> type unlabeled_t;
> type httpd_t;
> type httpd_tmp_t;
> type httpd_sys_script_t;
> type public_content_rw_t;
> class file { read write unlink };
> class dir { write remove_name add_name };
> }
>
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t unlabeled_t:file { read write };
There shouldn't be any unlabeled files around; the policy should ensure
that any files used or created by gallery are labeled properly. If
that's done, this rule shouldn't be needed.
> allow httpd_sys_script_t file { getattr read };
Not sure about this one. What are the httpd_tmp_t files that gallery is
trying to read?
> #============= httpd_t ==============
> allow httpd_t public_content_rw_t:dir { write remove_name
> add_name }; allow httpd_t public_content_rw_t:file unlink;
Setting the allow_httpd_anon_write boolean should remove the need for
these rules.
Paul.
More information about the fedora-selinux-list
mailing list