On Thu, 30 Aug 2007 14:56:48 -0400
John Griffiths <fedora01(a)grifent.com> wrote:
I am using the gallery2 tar ball from
http://codex.gallery2.org/Downloads ; it stays more up to date. They
have a policy for selinux, but the log still had AVCs in it and
denials that prevented gallery2 and specifically the watermark plugin
from working. File and directory permissions were an issue. One of
the directories is shared by samba so it has the context of
public_content_rw_t.
I used audit2allow to get things working, but I would like someone
more knowledgeable than me to take a look as see if I have opened any
gaping holes and if so, how to best address the issue.
policy_module(gallery, 1.0)
require {
type unlabeled_t;
type httpd_t;
type httpd_tmp_t;
type httpd_sys_script_t;
type public_content_rw_t;
class file { read write unlink };
class dir { write remove_name add_name };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t unlabeled_t:file { read write };
There shouldn't be any unlabeled files around; the policy should ensure
that any files used or created by gallery are labeled properly. If
that's done, this rule shouldn't be needed.
allow httpd_sys_script_t file { getattr read };
Not sure about this one. What are the httpd_tmp_t files that gallery is
trying to read?
#============= httpd_t ==============
allow httpd_t public_content_rw_t:dir { write remove_name
add_name }; allow httpd_t public_content_rw_t:file unlink;
Setting the allow_httpd_anon_write boolean should remove the need for
these rules.
Paul.