gallery2 policy

[John Griffiths]

Eric Paris wrote:
> On Thu, 2007-08-30 at 21:09 +0100, Paul Howarth wrote:
>   
>> On Thu, 30 Aug 2007 14:56:48 -0400
>> John Griffiths <fedora01 at grifent.com> wrote:
>>     
>
>   
>>>     policy_module(gallery, 1.0)
>>>
>>>     require {
>>>             type unlabeled_t;
>>>             type httpd_t;
>>>             type httpd_tmp_t;
>>>             type httpd_sys_script_t;
>>>             type public_content_rw_t;
>>>             class file { read write unlink };
>>>             class dir { write remove_name add_name };
>>>     }
>>>
>>>     #============= httpd_sys_script_t ==============
>>>     allow httpd_sys_script_t unlabeled_t:file { read write };
>>>       
>> There shouldn't be any unlabeled files around; the policy should ensure
>> that any files used or created by gallery are labeled properly. If
>> that's done, this rule shouldn't be needed.
>>     
>
> Regardless of the correctness of the gellery2 policy unlabeled_t is
> (almost) always a bug on one kind or another.  Did you create some files
> with selinux completely disabled rather than just permissive?  Do you
> have these files on a filesystem policy knows nothing about (typically a
> new FUSE filesystem)
>
> Tracking down what files are unlabeled_t and how they got that way is
> the solution, no rules should allow unlabeled_t
>
>
>   
Thanks. I suspected that was a problem. I'll find the unlabeled_t files 
and see what they are. Strange though, I had just done a touch 
/.autorelabel and rebooted a couple of days before.

Regards,
John