gallery2 policy
John Griffiths
fedora01 at grifent.com
Fri Aug 31 16:38:24 UTC 2007
>> allow httpd_sys_script_t file { getattr read };
>>
>
> Not sure about this one. What are the httpd_tmp_t files that gallery is
> trying to read?
>
>
Gallery2 watermark plugin uses graphic packages such as NetPbm,
ImageMagick, Dcraw, ffmpeg, GD to convert graphic files and re-write
them with a watermark image superimposed on them. The typical AVC for
getattr and read are:
Aug 25 18:06:46 gei kernel: audit(1188079606.937:995): avc: denied
{ getattr } for pid=19252 comm="composite" name="kohokan_com_png"
dev=dm-0 ino=2163199
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
.
.
.
Aug 25 19:07:04 gei kernel: audit(1188083224.885:1066): avc:
denied { read } for pid=19870 comm="pngtopnm"
name="kohokan_com_png" dev=dm-0 ino=2163199
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
The kohokan.com.png is a watermark file that is uploaded through the web
interface.
>> #============= httpd_t ==============
>> allow httpd_t public_content_rw_t:dir { write remove_name
>> add_name }; allow httpd_t public_content_rw_t:file unlink;
>>
>
> Setting the allow_httpd_anon_write boolean should remove the need for
> these rules.
>
Thanks. Rules removed and boolean set.
> Paul.
More information about the selinux
mailing list