gallery2 policy
John Griffiths
fedora01 at grifent.com
Thu Aug 30 18:56:48 UTC 2007
I am using the gallery2 tar ball from
http://codex.gallery2.org/Downloads ; it stays more up to date. They
have a policy for selinux, but the log still had AVCs in it and denials
that prevented gallery2 and specifically the watermark plugin from
working. File and directory permissions were an issue. One of the
directories is shared by samba so it has the context of public_content_rw_t.
I used audit2allow to get things working, but I would like someone more
knowledgeable than me to take a look as see if I have opened any gaping
holes and if so, how to best address the issue.
policy_module(gallery, 1.0)
require {
type unlabeled_t;
type httpd_t;
type httpd_tmp_t;
type httpd_sys_script_t;
type public_content_rw_t;
class file { read write unlink };
class dir { write remove_name add_name };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t unlabeled_t:file { read write };
allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
#============= httpd_t ==============
allow httpd_t public_content_rw_t:dir { write remove_name add_name };
allow httpd_t public_content_rw_t:file unlink;
Thanks,
John Griffiths
More information about the selinux
mailing list