Fedora Linux Support Community & Resources Center
Sections ›› Home | Forums | Guidelines | Forum Help | Fedora FAQ | Fedora News 

Go Back   FedoraForum.org > Fedora Support > Guides & Solutions (No Questions)
Reload this Page Howto: Running Gallery with SELinux enabled
Register FAQ Calendar Search Today's Posts Mark Forums Read

Guides & Solutions (No Questions) Post your guides here. You can also add your comments to a guide, but don't start a thread to ask a question. Use another forum for that.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 2004-12-13, 09:37 AM CST
macemoneta's Avatar
macemoneta Offline
Registered User
  
Join Date: May 2004
Location: NJ
Age: 54
Posts: 582
Howto: Running Gallery with SELinux enabled
Gallery is a popular web-based photo album. Using it under SELinux requires that you properly have the file contexts set, as well as allowing some operations that are disallowed in the default targeted policy.

Here's the procedure:

1. Install the software: httpd, php, mysql, gallery, etc.
2. Install the source for the targeted policy:

Code:
yum -y install selinux-policy-targeted-sources
3. Reset the file contexts:

Code:
rpm -ql php | restorecon -R -v -f -
rpm -ql php-mysql | restorecon -R -v -f -
rpm -ql httpd | restorecon -R -v -f -
rpm -ql mysql-server | restorecon -R -v -f -
service mysql restart
service httpd restart
4. For any directories that contain web content that isn't in the /var/www/html subdirectory, assign the correct context:

Code:
chcon -R -t httpd_sys_content_t /some/directory/
5. Create a local policy:

Code:
vi /etc/selinux/targeted/src/policy/domains/misc/local.te

allow httpd_sys_script_t devlog_t:sock_file write;
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_log_t:file write;
allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_sys_content_t:dir { add_name read setattr write };
allow httpd_sys_script_t httpd_sys_content_t:file { create setattr write };
allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
allow httpd_sys_script_t self:capability { dac_override dac_read_search };
allow httpd_sys_script_t self:unix_dgram_socket { connect create getattr write };
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
allow httpd_sys_script_t tmp_t:lnk_file read;
allow httpd_sys_script_t var_spool_t:dir { add_name getattr read remove_name search write };
allow httpd_sys_script_t var_spool_t:file { create getattr lock write read unlink };
allow httpd_sys_script_t var_t:dir getattr;
allow httpd_t httpd_log_t:file unlink;
6. Reload the modified policy:

Code:
cd /etc/selinux/targeted/src/policy/
make reload
7. Run system-config-securitylevel, and in the SeLinux tab make sure:

a. Enforcing is enabled (checked)
b. Policy type: targeted
c. Under HTTPD Service:

i. If you need it, check "Allow HTTPD to read home directories"
ii. Uncheck Disable SELinux protection for httpd daemon
Last edited by macemoneta; 2004-12-21 at 06:46 PM CST. Reason: Added additional permissions (step 5) so that Gallery could create/send emails
Reply With Quote
  #2  
Old 2005-06-24, 06:44 PM CDT
Bana's Avatar
Bana Offline
Retired Community Manager
  
Join Date: Feb 2004
Location: Austin, Texas
Age: 22
Posts: 580
Excellent, I was looking for this Any chance of this being a bug to put on bugzilla?
__________________
http://coolhands.blogspot.com/
binarybana AT gmail.com
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux, automount .iso with selinux enabled? leadgolem Security 0 2007-09-14 06:37 PM CDT
Cannot FTP to /var/www/don/html with SELinux enabled Donsoloway Security 5 2006-06-24 08:48 AM CDT
selinux not enabled Sjoerd Mullender gmane.linux.redhat.fedora.general 21 2005-06-06 11:07 AM CDT
RE: selinux not enabled Mike McGrath gmane.linux.redhat.fedora.general 1 2005-06-06 10:59 AM CDT
why would i want to keep SELinux enabled? sirbrett Software 8 2005-05-11 01:19 AM CDT

Automatic Translations (Powered by Powered by Google):
Afrikaans Albanian Arabic Belarusian Bulgarian Catalan Chinese Croatian Czech Danish Dutch English Estonian Filipino Finnish French Galician German Greek Hebrew Hindi Hungarian Icelandic Indonesian Italian Japanese Korean Latvian Lithuanian Macedonian Malay Maltese Norwegian Persian Polish Portuguese Romanian Russian Serbian Slovak Slovenian Spanish Swahili Swedish Taiwanese Thai Turkish Ukrainian Vietnamese Yiddish

All times are GMT -7. The time now is 06:14 AM CST.

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
Hosting provided by ThePlanet



All trademarks, and forum posts in this site are property of their respective owner(s).

FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact | Founding Members
Designed By Ewdison Then | Powered by vBulletin ©2000-2009, Jelsoft Enterprises Ltd.
 FedoraForum is Powered by Open Source Projects and Products
Translated to other languages thanks to NLP-er