gallery2 policy
Eric Paris
eparis at redhat.com
Thu Aug 30 20:29:49 UTC 2007
On Thu, 2007-08-30 at 21:09 +0100, Paul Howarth wrote:
> On Thu, 30 Aug 2007 14:56:48 -0400
> John Griffiths <fedora01 at grifent.com> wrote:
> > policy_module(gallery, 1.0)
> >
> > require {
> > type unlabeled_t;
> > type httpd_t;
> > type httpd_tmp_t;
> > type httpd_sys_script_t;
> > type public_content_rw_t;
> > class file { read write unlink };
> > class dir { write remove_name add_name };
> > }
> >
> > #============= httpd_sys_script_t ==============
> > allow httpd_sys_script_t unlabeled_t:file { read write };
>
> There shouldn't be any unlabeled files around; the policy should ensure
> that any files used or created by gallery are labeled properly. If
> that's done, this rule shouldn't be needed.
Regardless of the correctness of the gellery2 policy unlabeled_t is
(almost) always a bug on one kind or another. Did you create some files
with selinux completely disabled rather than just permissive? Do you
have these files on a filesystem policy knows nothing about (typically a
new FUSE filesystem)
Tracking down what files are unlabeled_t and how they got that way is
the solution, no rules should allow unlabeled_t
More information about the fedora-selinux-list
mailing list