[Bug 750464] build.gnome.org selinux labeling issues

["sysadmin" (GNOME Bugzilla) <bugzilla gnome org>]

     Andrea Veri
 changed
              bug 750464

What	Removed	Added
CC		andrea.veri@gmail.com

Comment # 1 on bug 750464 from Andrea Veri

Fixed the context on:

 1. /srv/ostree/public_html
 2. /srv/ostree/src/gnome-continuous/extras/build.gnome.org 

Seems SELinux is complaining about more files though which are hosted on
directories that are generated daily so having those in Puppet won't make much
sense. Do you think we can automate the labeling of these files directly at the
end of the build process? (the relevant binary file should have a setuid on
root already so ideally we can include a matching rule for httpd_sys_content_t
for all files ending with .json, .png and .qcow2.gz, which are the majority of
hits)

An excerpt of audit.log:

type=AVC msg=audit(1433601104.588:224112): avc:  denied  { getattr } for 
pid=12321 comm="httpd"
path="/srv/ostree/ostbuild/work/builds/2015/03/10/14/resolve/meta.json"
dev="dm-2" ino=48590874 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1433601093.518:224097): avc:  denied  { getattr } for 
pid=7567 comm="httpd"
path="/srv/ostree/ostbuild/work/images/z/20150602.36/gnome-continuous-x86_64-devel-debug-20150602.36.qcow2.gz"
dev="dm-2" ino=68296508 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1433600852.354:223953): avc:  denied  { getattr } for 
pid=9267 comm="httpd"
path="/srv/ostree/ostbuild/work/builds/2015/06/02/36/memusage/work-gnome-continuous-x86_64-devel-debug/screenshot-1.png"
dev="dm-2" ino=68289050 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file

---

      You are receiving this mail because:

• You are watching the QA Contact of the bug.
• You are watching the assignee of the bug.