Unable to create files when using "context"option for NFS
Daniel J Walsh
dwalsh at redhat.com
Wed Jun 8 14:46:56 UTC 2005
Robert Bottomley wrote:
> In FC3 (running kernel 2.6.11-1.27_FC3smp and
> selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem
> for use by Apache. In /etc/fstab, I have:
>
> ozone:/usr/local/svn /svn nfs
> rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192
> 0 0
>
> Any attempts to create a file in /svn are met with (here I was
> attempting a "touch x"):
>
We don't have a good solution for this.
> audit(1117233333.027:0): avc: denied { associate } for pid=12795
> exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t
> tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
>
> It does not matter what context I specify, I cannot create a file --
> even though my shell is running as unconfined_t. (If a file already
> exists, I can edit it.)
>
> So the questions are:
>
> 1. Is this a bug? Should I not be able to create a file when running
> in the unconfined_t context?
>
> 2. Audit2allow tells me that I need to add:
> "
>
You can install policy sources (selinux-policy-targeted-sources)
cd /etc/selinux/targeted/src/policy
echo "allow httpd_sys_script_rw_t self:filesystem associate;" >>
domains/misc/local.te
make load
And try it out. It should work. The problem for us is how to
generalize this solution.
Dan
> but if unconfined_t context cannot write, then will something in
> httpd_sys_script_rw_t be able to?
>
> sestatus
> ========
>
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 18
> Policy from config file:targeted
>
> Policy booleans:
> allow_ypbind active
> dhcpd_disable_trans inactive
> httpd_disable_trans inactive
> httpd_enable_cgi active
> httpd_enable_homedirs active
> httpd_ssi_exec active
> httpd_tty_comm inactive
> httpd_unified inactive
> mysqld_disable_trans inactive
> named_disable_trans inactive
> named_write_master_zonesinactive
> nscd_disable_trans inactive
> ntpd_disable_trans inactive
> portmap_disable_trans inactive
> postgresql_disable_transinactive
> snmpd_disable_trans inactive
> squid_disable_trans inactive
> syslogd_disable_trans inactive
> use_nfs_home_dirs inactive
> use_samba_home_dirs inactive
> use_syslogng inactive
> winbind_disable_trans inactive
> ypbind_disable_trans inactive
>
--
More information about the fedora-selinux-list
mailing list