[Bug 750464] build.gnome.org selinux labeling issues

Sat, 06 Jun 2015 07:35:04 -0700 

https://bugzilla.gnome.org/show_bug.cgi?id=750464

Andrea Veri <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[email protected]

--- Comment #1 from Andrea Veri <[email protected]> ---
Fixed the context on:

 1. /srv/ostree/public_html
 2. /srv/ostree/src/gnome-continuous/extras/build.gnome.org 

Seems SELinux is complaining about more files though which are hosted on
directories that are generated daily so having those in Puppet won't make much
sense. Do you think we can automate the labeling of these files directly at the
end of the build process? (the relevant binary file should have a setuid on
root already so ideally we can include a matching rule for httpd_sys_content_t
for all files ending with .json, .png and .qcow2.gz, which are the majority of
hits)

An excerpt of audit.log:

type=AVC msg=audit(1433601104.588:224112): avc:  denied  { getattr } for 
pid=12321 comm="httpd"
path="/srv/ostree/ostbuild/work/builds/2015/03/10/14/resolve/meta.json"
dev="dm-2" ino=48590874 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1433601093.518:224097): avc:  denied  { getattr } for 
pid=7567 comm="httpd"
path="/srv/ostree/ostbuild/work/images/z/20150602.36/gnome-continuous-x86_64-devel-debug-20150602.36.qcow2.gz"
dev="dm-2" ino=68296508 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1433600852.354:223953): avc:  denied  { getattr } for 
pid=9267 comm="httpd"
path="/srv/ostree/ostbuild/work/builds/2015/06/02/36/memusage/work-gnome-continuous-x86_64-devel-debug/screenshot-1.png"
dev="dm-2" ino=68289050 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file

-- 
You are receiving this mail because:
You are watching the QA Contact of the bug.
You are watching the assignee of the bug.
_______________________________________________
gnome-infrastructure mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

Reply via email to