Re: gallery2 policy

[Daniel J Walsh <dwalsh redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Griffiths wrote:
> This is what audit2allow is showing now.
> 
>    tail -n60 /var/log/messages | audit2allow -m local
> 
>    module local 1.0;
> 
>    require {
>            type unlabeled_t;
>            type default_t;
>            type boot_t;
>            type httpd_t;
>            type httpd_sys_script_t;
>            type lost_found_t;
>            class lnk_file read;
>            class dir getattr;
>            class file { read write getattr };
>    }
> 
>    #============= httpd_sys_script_t ==============
>    allow httpd_sys_script_t unlabeled_t:file { read write };
> 
>    #============= httpd_t ==============
>    allow httpd_t boot_t:dir getattr;
>    allow httpd_t default_t:file getattr;
>    allow httpd_t default_t:lnk_file read;
>    allow httpd_t lost_found_t:dir getattr;
> 
> It is getting worse.
> 
> Regards,
> John
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What OS and what version of policy are you running.  You might want to
yum update selinux-policy

default_t looks like you added some directory at / and did not label it
with httpd_sys_content_t?

The getattr can probably be dontaudit since I doubt your app actually
wants to look at these directories.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG2IK0rlYvE4MpobMRAuIhAJ9owSu6/rwqV2HYt/RCHOll4nl8qgCfQoaT
yVXCjJQYxht6xa/tktGp26I=
=Hc/F
-----END PGP SIGNATURE-----