selinux, httpd, and nfs
Stephen Smalley
sds at tycho.nsa.gov
Tue Sep 6 14:37:05 UTC 2005
On Sun, 2005-09-04 at 11:10 -0700, Ben wrote:
> I'm trying to use NFS to make a bunch of images available for apache.
> SELinux on the apache server seems to be getting in the way, and this
> time I think it really is SELinux, because apache can serve the
> images just fine when I'm not enforcing. When I turn on enforcing, I
> get permission denied messages.
>
> Unfortunately, there are no avc messages being generated, even when I
> follow the steps listed out here:
>
> http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2827008
Just in case you don't know it already, in FC4, audit messages are now
directed to a separate audit daemon (auditd) and logged
to /var/log/audit/audit.log rather than being handled by klogd/syslogd
and going to /var/log/messages. So you need to look in audit.log for
any denials.
> I suspect the issue might have something to do with there being no
> SELinux attributes on the files in my image directory.... but without
> any avc messages, it's hard to tell.
>
> Interestingly, even when I am enforcing, I can copy and read the
> files.... just not with apache.
Yes, that would make sense, as user sessions are unrestricted by the
targeted policy (they are in unconfined_t, e.g. see the output of id
-Z). Targeted policy only tries to control specific daemons.
This may be affected by one of the policy booleans,
e.g. /usr/sbin/getsebool -a | grep httpd and /usr/sbin/getsebool -a |
grep nfs.
Other resources:
man httpd_selinux
man nfs_selinux
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list