gallery2 policy
John Griffiths
fedora01 at grifent.com
Fri Aug 31 17:19:26 UTC 2007
Did a re-installation of gallery2 after modifying the policy to remove
the unlabeled_t rule and enabling the seboolean allow_httpd_anon_write
and removing the two rules allow httpd_t public_content_rw_t:dir { write
remove_name add_name }; allow httpd_t public_content_rw_t:file unlink;.
New policy is:
policy_module(gallery, 1.0.3)
require {
type tmp_t;
type httpd_t;
type httpd_tmp_t;
type httpd_sys_script_t;
class file { read write unlink getattr };
class dir { write remove_name add_name };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
#============= httpd_t ==============
allow httpd_t tmp_t:file { read getattr };
It is the watermark package that is trying to do things with the
unlabeled_t context. Here are the AVCs.
Aug 31 13:01:54 gei kernel: audit(1188579714.051:139): avc: denied
{ read write } for pid=885 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.067:140): avc: denied
{ read write } for pid=887 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.080:141): avc: denied
{ read write } for pid=889 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.093:142): avc: denied
{ read write } for pid=891 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.105:143): avc: denied
{ read write } for pid=893 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.119:144): avc: denied
{ read write } for pid=895 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.132:145): avc: denied
{ read write } for pid=897 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.144:146): avc: denied
{ read write } for pid=899 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.158:147): avc: denied
{ read write } for pid=901 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.171:148): avc: denied
{ read write } for pid=903 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 31 13:01:54 gei kernel: audit(1188579714.184:149): avc: denied
{ read write } for pid=905 comm="sh" name="[eventpoll]"
dev=anon_inodefs ino=289
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
So what choices do I have?
Regards,
John
John Griffiths wrote:
>
>>> allow httpd_sys_script_t file { getattr read };
>>>
>>
>> Not sure about this one. What are the httpd_tmp_t files that gallery is
>> trying to read?
>>
>>
> Gallery2 watermark plugin uses graphic packages such as NetPbm,
> ImageMagick, Dcraw, ffmpeg, GD to convert graphic files and re-write
> them with a watermark image superimposed on them. The typical AVC for
> getattr and read are:
>
> Aug 25 18:06:46 gei kernel: audit(1188079606.937:995): avc: denied
> { getattr } for pid=19252 comm="composite" name="kohokan_com_png"
> dev=dm-0 ino=2163199
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
> .
> .
> .
> Aug 25 19:07:04 gei kernel: audit(1188083224.885:1066): avc:
> denied { read } for pid=19870 comm="pngtopnm"
> name="kohokan_com_png" dev=dm-0 ino=2163199
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
>
> The kohokan.com.png is a watermark file that is uploaded through the
> web interface.
>
>>> #============= httpd_t ==============
>>> allow httpd_t public_content_rw_t:dir { write remove_name
>>> add_name }; allow httpd_t public_content_rw_t:file unlink;
>>>
>>
>> Setting the allow_httpd_anon_write boolean should remove the need for
>> these rules.
>>
> Thanks. Rules removed and boolean set.
>> Paul.
>
More information about the fedora-selinux-list
mailing list