Re: gallery2 policy

[Paul Howarth <paul city-fan org>]

On Thu, 30 Aug 2007 14:56:48 -0400
John Griffiths <fedora01 grifent com> wrote:

> I am using the gallery2 tar ball from 
> http://codex.gallery2.org/Downloads ; it stays more up to date. They 
> have a policy for selinux, but the log still had AVCs in it and
> denials that prevented gallery2 and specifically the watermark plugin
> from working. File and directory permissions were an issue. One of
> the directories is shared by samba so it has the context of
> public_content_rw_t.
> 
> I used audit2allow to get things working, but I would like someone
> more knowledgeable than me to take a look as see if I have opened any
> gaping holes and if so, how to best address the issue.
> 
> 
>     policy_module(gallery, 1.0)
> 
>     require {
>             type unlabeled_t;
>             type httpd_t;
>             type httpd_tmp_t;
>             type httpd_sys_script_t;
>             type public_content_rw_t;
>             class file { read write unlink };
>             class dir { write remove_name add_name };
>     }
> 
>     #============= httpd_sys_script_t ==============
>     allow httpd_sys_script_t unlabeled_t:file { read write };

There shouldn't be any unlabeled files around; the policy should ensure
that any files used or created by gallery are labeled properly. If
that's done, this rule shouldn't be needed.

>     allow httpd_sys_script_t file { getattr read };

Not sure about this one. What are the httpd_tmp_t files that gallery is
trying to read?

>     #============= httpd_t ==============
>     allow httpd_t public_content_rw_t:dir { write remove_name
> add_name }; allow httpd_t public_content_rw_t:file unlink;

Setting the allow_httpd_anon_write boolean should remove the need for
these rules.

Paul.