gallery2 policy

John Griffiths fedora01 at grifent.com
Fri Aug 31 17:19:26 UTC 2007


Did a re-installation of gallery2 after modifying the policy to remove 
the unlabeled_t rule and enabling the seboolean allow_httpd_anon_write 
and removing the two rules allow httpd_t public_content_rw_t:dir { write 
remove_name add_name }; allow httpd_t public_content_rw_t:file unlink;.

New policy is:

    policy_module(gallery, 1.0.3)

    require {
            type tmp_t;
            type httpd_t;
            type httpd_tmp_t;
            type httpd_sys_script_t;
            class file { read write unlink getattr };
            class dir { write remove_name add_name };
    }

    #============= httpd_sys_script_t ==============
    allow httpd_sys_script_t httpd_tmp_t:file { getattr read };

    #============= httpd_t ==============
    allow httpd_t tmp_t:file { read getattr };


It is the watermark package that is trying to do things with the 
unlabeled_t context. Here are the AVCs.

    Aug 31 13:01:54 gei kernel: audit(1188579714.051:139): avc:  denied 
    { read write } for  pid=885 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.067:140): avc:  denied 
    { read write } for  pid=887 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.080:141): avc:  denied 
    { read write } for  pid=889 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.093:142): avc:  denied 
    { read write } for  pid=891 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.105:143): avc:  denied 
    { read write } for  pid=893 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.119:144): avc:  denied 
    { read write } for  pid=895 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.132:145): avc:  denied 
    { read write } for  pid=897 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.144:146): avc:  denied 
    { read write } for  pid=899 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.158:147): avc:  denied 
    { read write } for  pid=901 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.171:148): avc:  denied 
    { read write } for  pid=903 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
    Aug 31 13:01:54 gei kernel: audit(1188579714.184:149): avc:  denied 
    { read write } for  pid=905 comm="sh" name="[eventpoll]"
    dev=anon_inodefs ino=289
    scontext=system_u:system_r:httpd_sys_script_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

So what choices do I have?

Regards,
John

John Griffiths wrote:
>
>>>     allow httpd_sys_script_t file { getattr read };
>>>     
>>
>> Not sure about this one. What are the httpd_tmp_t files that gallery is
>> trying to read?
>>
>>   
> Gallery2 watermark plugin uses graphic packages such as NetPbm, 
> ImageMagick, Dcraw, ffmpeg, GD to convert graphic files and re-write 
> them with a watermark image superimposed on them. The typical AVC for 
> getattr and read are:
>
>    Aug 25 18:06:46 gei kernel: audit(1188079606.937:995): avc:  denied 
>    { getattr } for  pid=19252 comm="composite" name="kohokan_com_png"
>    dev=dm-0 ino=2163199
>    scontext=system_u:system_r:httpd_sys_script_t:s0
>    tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
>    .
>    .
>    .
>    Aug 25 19:07:04 gei kernel: audit(1188083224.885:1066): avc:    
> denied  { read } for  pid=19870 comm="pngtopnm"
>    name="kohokan_com_png" dev=dm-0 ino=2163199
>    scontext=system_u:system_r:httpd_sys_script_t:s0
>    tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
>
> The kohokan.com.png is a watermark file that is uploaded through the 
> web interface.
>
>>>     #============= httpd_t ==============
>>>     allow httpd_t public_content_rw_t:dir { write remove_name
>>> add_name }; allow httpd_t public_content_rw_t:file unlink;
>>>     
>>
>> Setting the allow_httpd_anon_write boolean should remove the need for
>> these rules.
>>   
> Thanks. Rules removed and boolean set.
>> Paul.
>




More information about the fedora-selinux-list mailing list