gallery2 policy
John Griffiths
fedora01 at grifent.com
Sun Sep 2 22:05:45 UTC 2007
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> What OS and what version of policy are you running. You might want to
> yum update selinux-policy
>
kernel-2.6.22.2-42.fc6
selinux-policy-2.4.6-80.fc6
I believe these are current for FC6.
I did a forced switch of my syslog and httpd. Then I put selinux into
permissive mode. Then, I wiped out my gallery2 and reinstalled. I am
doing a multisite gallery2 installation just as a point of reference. I
installed every module from the full download. After that I added a few
pictures; deleted some. Added pictures from a samba share on the server.
Added pictures from a web page. Added a new album and deleted it, added
and deleted watermark png graphic files, and generated watermarked
pictures and thumbnails. Then I changed the email address of the
administrator and enabled email notification of user registrations. I
tried to exercise gallery2; I know I did not exercise every branch of
code, but I think I did much of what many will do. Then did a
cat /var/log/messages | audit2allow -m gallery2 >
~jrg3/downloads/gallery2/selinux/gallery.te.new
This is the new policy source (I have not implemented it.):
module gallery2 1.0;
require {
type mail_spool_t;
type unlabeled_t;
type acct_data_t;
type httpd_sys_script_t;
type boot_t;
type httpd_t;
type default_t;
type home_root_t;
type var_yp_t;
type httpd_tmp_t;
type named_zone_t;
type samba_share_t;
type var_t;
type lost_found_t;
type xserver_log_t;
class lnk_file read;
class file { read write getattr };
class dir { read getattr };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_tmp_t:file { read getattr };
allow httpd_sys_script_t unlabeled_t:file { read write };
allow httpd_sys_script_t var_t:file { read getattr };
#============= httpd_t ==============
allow httpd_t acct_data_t:dir getattr;
allow httpd_t boot_t:dir getattr;
allow httpd_t default_t:file getattr;
allow httpd_t default_t:lnk_file read;
allow httpd_t home_root_t:dir read;
allow httpd_t lost_found_t:dir getattr;
allow httpd_t mail_spool_t:dir getattr;
allow httpd_t mail_spool_t:lnk_file read;
allow httpd_t named_zone_t:dir getattr;
allow httpd_t samba_share_t:dir getattr;
allow httpd_t var_t:dir read;
allow httpd_t var_yp_t:dir getattr;
allow httpd_t xserver_log_t:dir getattr;
That a comprehensive list of rules.
The installation does a look up of directories as you enter partial
paths. It looks for host names. The samba share is in /home/<share>. The
shared gallery2 code base is in /var/www. The data store is in
/var/www/g2data/<site>, and the gallery2 multisite is in
http://<FQHN>/<directory structure>/pictures/.
The context on the shared code base is
system_u:object_r:httpd_sys_content_t. There are perl, java script, java
applets, and shell scripts in the gallery2 modules. They are also
labeled system_u:object_r:httpd_sys_content_t. I suspect they should be
system_u:object_r:httpd_sys_script_exec_t. I searched in the selinux
wiki but did not find any guidelines for labeling scripts and
executables in the html contexts. I would think those files should be
treated like cgi but am not clear on that. Would that change things? Is
there any guidance on which files should have the context
httpd_sys_script_exec_t?
I kept a copies of the messages log file, the httpd access and error
logs, so all that information is available.
Thanks for the help.
Regards,
John Griffiths
More information about the fedora-selinux-list
mailing list