Bug 230058

Summary: gallery2 (still) does not work with selinux in enforcing mode correctly
Product: [Fedora] Fedora Reporter: David Kovalsky <dkovalsk>
Component: gallery2Assignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: benl, djuran, triage
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: gallery2-2.2.4-3.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-05 17:09:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Kovalsky 2007-02-26 11:59:25 UTC 
I have opened a bug long ago [214979]
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214979

It's supposed to be fixed, but still it is not. Dan Walsh wrote:
Gallery install was fixed in that package


I have verified with the lastest packages that it's not
gallery2-2.1-0.24.svn20060817.fc6
httpd-2.2.3-5
php-5.1.6-3.4.fc6
selinux-policy-targeted-2.4.6-40.fc6


Install still doesn't work when selinux is in enforcing mode.
- one still has to create /usr/share/gallery2/g2data
- one still has to disable (->permissive) selinux for the time of updating
config.php

IMO every application should install to it's default location without having to
turn selinux to permissive mode.

And it still doesn't work:
Error
Error (ERROR_PLATFORM_FAILURE) :
    * in modules/core/classes/GalleryTemplate.class at line 260
(GalleryCoreApi::error)
    * in modules/core/classes/GalleryTemplate.class at line 200
(GalleryTemplate::_initCompiledTemplateDir)
    * in main.php at line 418 (GalleryTemplate::fetch)
    * in main.php at line 87
    * in main.php at line 80


[root@slintel-b gallery2]# tail -f -n0  /var/log/audit/audit.log 
type=AVC msg=audit(1172491121.973:113): avc:  denied  { write } for  pid=15453 c
omm="httpd" name="%%626616196" dev=sda5 ino=689614 scontext=root:system_r:httpd_
t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir
type=SYSCALL msg=audit(1172491121.973:113): arch=c000003e syscall=21 success=no 
exit=-13 a0=555555c7cd68 a1=2 a2=0 a3=d items=0 ppid=15444 pid=15453 auid=0 uid=
48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="htt
pd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1172491121.974:114): avc:  denied  { write } for  pid=15453 c
omm="httpd" name="%%626616196" dev=sda5 ino=689614 scontext=root:system_r:httpd_
t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir
type=SYSCALL msg=audit(1172491121.974:114): arch=c000003e syscall=21 success=no 
exit=-13 a0=555556625598 a1=2 a2=0 a3=d items=0 ppid=15444 pid=15453 auid=0 uid=
48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="htt
pd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
Comment 1 John Berninger 2007-02-26 14:16:25 UTC 
Please see comments # 25 trough 27 in bug # 181599 (the original review
request).  This is not a problem with the gallery2 package, and cannot be
resolved in the gallery2 package.  Please stop filing bugs for this against
gallery2; any future bugs should be filed against the selinux-policy package in
Core.  Transferring this bug (again).
Comment 2 Daniel Walsh 2007-02-26 15:13:55 UTC 
John we can change the file context to allow gallery2 to write to /usr but this
is not a good behaviour.  /usr should be able to be run as a r/o file system. 
So just changing SELinux to allow this behavior is not the long time fix.  If
gallery2 need to write files they should be in the /var directory.
Comment 3 David Kovalsky 2007-02-26 17:17:09 UTC 
John, 

I what I was suggesting (even though I did not mention it explicitely) is
patching gallery2 so it installs it's write data & cache by default somewhere
into /var  as Daniel already wrote.
Comment 4 Bug Zapper 2008-04-04 06:22:29 UTC 
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 5 David Juran 2008-05-05 17:09:22 UTC 
I believe this is actually fixed in gallery2-2.2.4-3.fc8