more latest selinux policy change problems

[Peter Magnusson]

A little script that runs in cron complained about stuff after I turned on
selinux for apache again;

mv: cannot set setfscreatecon `user_u:object_r:httpd_sys_script_rw_t':
Permission denied

so I changed the selinux perms on these files. Hope it will work next time 
I turn on selinux for apache. Because now its off again because of this:

Tested what gallery (http://gallery.sourceforge.net/) would think about 
selinux. It didnt like it at all. It said that it has no rights to write in 
the userfile.

And how would I know what I should set the perms to get it working?

Jun 21 06:27:25 sysbabe kernel: audit(1119328045.441:0): avc:  denied  { 
write } for  pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 
ino=688180 scontext=root:system_r:httpd_t 
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Jun 21 06:27:25 sysbabe kernel: audit(1119328045.442:0): avc:  denied  { 
write } for  pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 
ino=688180 scontext=root:system_r:httpd_t 
tcontext=system_u:object_r:httpd_sys_content_t tclass=file

is what is says. Same problem on an other vhost with an counter, just other 
name= of course.

This is thing above is just the mainpage. It must be able to write dirs 
also, when creating new albums. It must also be able to execute
/usr/bin/convert and maybe other programs also. Hmm, and it stores tmp 
files in /tmp also. httpd_sys_content_execute_tmpfiles_t on /tmp maybe? :) 
I have no idea how many fixes that are needed to get everything working.
Is it any *generic* for apache-can-write-whatever-it wants in selinux?
As long that apache cant write in *system files* or execute anything as
root Im quite happy.

Did the fedora team expect problems like this to be created with the latest 
selinux policy change or is it a suprise for you? Its fine to have it by 
default in new release of fedora but not CHANGE it in a update.