mounting nfs as httpd_sys_content_t under selinux
Stephen Smalley
sds at tycho.nsa.gov
Mon Dec 10 14:34:14 UTC 2007
On Sat, 2007-12-08 at 11:41 -0500, Johnny Tan wrote:
> I have a NFS mount that I want apache to be able to serve
> files from.
>
> According to this doc:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/ch45s02s03.html
>
> I should be able to mount it with a context that will allow
> apache to access it.
>
> But when I try the suggested command:
>
> [root at vm-37:~] mount -t nfs -o \
> context=system_u:object_r:httpd_sys_content_t \
> 192.168.1.100:/data/test /mnt/test
What kernel messages in /var/log/messages did you get when you ran this
command?
Did you already have a mount from the same server/filesystem when you
tried doing this? If so, unmount those first and try again - context
mounts are limited to one per superblock.
> It *does* mount, but when I do:
> [root at vm-37:~]# ls -lZ /mnt
> drwxr-xr-x 65534 65534 system_u:object_r:nfs_t test
>
> It doesn't show the correct context.
>
> (I don't know if it matters that I don't have a user with
> UID 65534, only the remote NFS server has that.)
>
>
> And sure enough, apache still can't serve from it. I see
> this in /var/log/messages:
> Dec 7 17:30:14 vm-37 kernel: audit(1197066614.787:240):
> avc: denied { search } for pid=18066 comm="httpd" name=
> "" dev=0:14 ino=4301717509 scontext=root:system_r:httpd_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
> Dec 7 17:30:14 vm-37 kernel: audit(1197066614.787:241):
> avc: denied { getattr } for pid=18066 comm="httpd" name
> ="" dev=0:14 ino=4301717509
> scontext=root:system_r:httpd_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
>
> When I "setenforce 0", it works. But I want SELinux.
>
>
> Granted, I could do:
> allow httpd_t nfs_t:dir { search getattr };
>
> Well, actually, I haven't tried it but I'm guessing that
> that will work. The problem is that I have other nfs
> directories that I don't want httpd to access, even
> accidentally if we ever point httpd at those directories.
>
> So... any ideas on the nfs mount with the context option?
>
>
> I'm running CentOS-5.1 with latest updates of everything.
>
> johnn
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list