selinux, httpd, and nfs

Stephen Smalley sds at
Tue Sep 6 14:37:05 UTC 2005

On Sun, 2005-09-04 at 11:10 -0700, Ben wrote:
> I'm trying to use NFS to make a bunch of images available for apache.  
> SELinux on the apache server seems to be getting in the way, and this  
> time I think it really is SELinux, because apache can serve the  
> images just fine when I'm not enforcing. When I turn on enforcing, I  
> get permission denied messages.
> Unfortunately, there are no avc messages being generated, even when I  
> follow the steps listed out here:

Just in case you don't know it already, in FC4, audit messages are now
directed to a separate audit daemon (auditd) and logged
to /var/log/audit/audit.log rather than being handled by klogd/syslogd
and going to /var/log/messages.  So you need to look in audit.log for
any denials.

> I suspect the issue might have something to do with there being no  
> SELinux attributes on the files in my image directory.... but without  
> any avc messages, it's hard to tell.
> Interestingly, even when I am enforcing, I can copy and read the  
> files.... just not with apache.

Yes, that would make sense, as user sessions are unrestricted by the
targeted policy (they are in unconfined_t, e.g. see the output of id
-Z).  Targeted policy only tries to control specific daemons.

This may be affected by one of the policy booleans,
e.g. /usr/sbin/getsebool -a | grep httpd and /usr/sbin/getsebool -a |
grep nfs.

Other resources:
man httpd_selinux
man nfs_selinux

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list