[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: gallery2 policy

From: John Griffiths <fedora01 grifent com>
To: fedora-selinux-list redhat com
Subject: Re: gallery2 policy
Date: Fri, 31 Aug 2007 12:38:24 -0400

    allow httpd_sys_script_t file { getattr read };


Not sure about this one. What are the httpd_tmp_t files that gallery is
trying to read?

Gallery2 watermark plugin uses graphic packages such as NetPbm,ImageMagick, Dcraw, ffmpeg, GD to convert graphic files and re-writethem with a watermark image superimposed on them. The typical AVC forgetattr and read are:

Aug 25 18:06:46 gei kernel: audit(1188079606.937:995): avc: denied{ getattr } for pid=19252 comm="composite" name="kohokan_com_png"

   dev=dm-0 ino=2163199
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
   .
   .
   .

Aug 25 19:07:04 gei kernel: audit(1188083224.885:1066): avc:denied { read } for pid=19870 comm="pngtopnm"

   name="kohokan_com_png" dev=dm-0 ino=2163199
   scontext=system_u:system_r:httpd_sys_script_t:s0
   tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

The kohokan.com.png is a watermark file that is uploaded through the webinterface.

    #============= httpd_t ==============
    allow httpd_t public_content_rw_t:dir { write remove_name
add_name }; allow httpd_t public_content_rw_t:file unlink;


Setting the allow_httpd_anon_write boolean should remove the need for
these rules.

Thanks. Rules removed and boolean set.

Paul.

Follow-Ups:
- Re: gallery2 policy
  - From: John Griffiths

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]