Bug 214979

Summary: gallery2 does not work with selinux in enforcing mode correctly
Product: [Fedora] Fedora Reporter: David Kovalsky <dkovalsk>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: benl, dwalsh, extras-qa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-11 22:21:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Kovalsky 2006-11-10 13:25:43 UTC 
Description of problem:
when selinux is in enforcing mode, gallery2 fails to load

browser output:
===============
Error
Error (ERROR_PLATFORM_FAILURE) :

    * in modules/core/classes/GalleryTemplate.class at line 270
(GalleryCoreApi::error)
    * in modules/core/classes/GalleryTemplate.class at line 200
(GalleryTemplate::_initCompiledTemplateDir)
    * in main.php at line 418 (GalleryTemplate::fetch)
    * in main.php at line 87
    * in main.php at line 80

`tail -n0 -f /var/log/messages' prints
Nov 10 07:32:50 hurt kernel: audit(1163161970.447:82): avc:  denied  { write }
for  pid=2703 comm="httpd" name="%%626616196" dev=dm-0 ino=4712981
scontext=system_u:system_r:httpd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir
Nov 10 07:32:50 hurt kernel: audit(1163161970.479:83): avc:  denied  { write }
for  pid=2703 comm="httpd" name="%%626616196" dev=dm-0 ino=4712981
scontext=system_u:system_r:httpd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir



Version-Release number of selected component (if applicable):
[root@hurt ~]# yum list installed gallery2\*
Loading "installonlyn" plugin
Installed Packages
gallery2.noarch                          2.1-0.24.svn20060817.f installed       
gallery2-classic.noarch                  2.1-0.24.svn20060817.f installed       
gallery2-comment.noarch                  2.1-0.24.svn20060817.f installed       
gallery2-exif.noarch                     2.1-0.24.svn20060817.f installed       
gallery2-imagemagick.noarch              2.1-0.24.svn20060817.f installed       
gallery2-matrix.noarch                   2.1-0.24.svn20060817.f installed       
gallery2-thumbnail.noarch                2.1-0.24.svn20060817.f installed       
gallery2-uploadapplet.noarch             2.1-0.24.svn20060817.f installed       



seems like the problem is with caching templates:
[root@hurt gallery2]# pwd
/usr/share/gallery2   ### the default install dir
[root@hurt gallery2]# find |grep '%%626616196' 
./g2data/smarty/templates_c/%%626616196
./g2data/smarty/templates_c/%%626616196/%%CD^CD7^CD714190%%SiteAdmin.tpl.php
./g2data/smarty/templates_c/%%626616196/%%BE^BEF^BEF33303%%NavigationLinks.tpl.php
./g2data/smarty/templates_c/%%626616196/%%55^55E^55E14245%%SystemLinks.tpl.php
./g2data/smarty/templates_c/%%626616196/%%34^345^345657B7%%AdminMaintenance.tpl.php
./g2data/smarty/templates_c/%%626616196/v_9
./g2data/smarty/templates_c/%%626616196/%%FD^FD9^FD9328A6%%BreadCrumb.tpl.php
./g2data/smarty/templates_c/%%626616196/%%AD^AD2^AD2FDAE8%%progressbar.tpl.php
./g2data/smarty/templates_c/%%626616196/%%3A^3A8^3A818B59%%theme.tpl.php
./g2data/smarty/templates_c/%%626616196/%%54^54D^54D7A448%%admin.tpl.php


I already tried clearing the cache and other adminstrative tasks that gallery2
offers, still with the same result

How reproducible:
always
Comment 1 John Berninger 2006-12-03 18:42:24 UTC 
Reassigning against Fedora Core selinux-policy - see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181599 comments 25 through
30 for a similar issue when package was first delivered.

Need new context for /usr/share/gallery2 in selinux-policy package.
Comment 2 Daniel Walsh 2006-12-04 16:01:19 UTC 
What directory is it trying to write?  /usr/share/gallery2?  If yes, I though
this was changing since this breaks r/o /usr?

Dan
Comment 3 David Kovalsky 2006-12-04 17:38:37 UTC 
Yes, 
it writes all kinds of data to /usr/share/gallery2/g2data (default install)
including templates, image files, cache, locks etc. It would be nice if gallery2
put this data to /var/cache/gallery2. But I guess that's rather a big change. 

If the data dir should be different (I see that /srv/gallery2 exists and is
owned by the gallery2 package) then the gallery2 web installed should offer this
path by default.
Comment 4 Daniel Walsh 2007-01-11 22:21:40 UTC 
Gallery install was fixed in that package