mounting nfs as httpd_sys_content_t under selinux
Stephen Smalley
sds at tycho.nsa.gov
Mon Dec 10 17:31:11 UTC 2007
On Mon, 2007-12-10 at 12:24 -0500, Eric Paris wrote:
> On Mon, 2007-12-10 at 12:02 -0500, Johnny Tan wrote:
> > Stephen Smalley wrote:
> > > Did you already have a mount from the same server/filesystem when you
> > > tried doing this? If so, unmount those first and try again - context
> > > mounts are limited to one per superblock.
> >
> > Thanks Stephen & Eric.
> >
> > Yes, the problem was I had another mount from the same server.
> >
> > So, now both mounts have httpd_sys_content_t context even
> > though I only put that option on one of them. I do not want
> > the other mount to have this context.
> >
> > Based on what you're saying, that's not possible, right,
> > since they are coming from the same server?
Just to clarify: it isn't just that they are coming from the same
server but that they are coming from the same server with the same
filesystem id.
> You might get what you want with the nosharecache mount option i
> mentioned, if adding that to both mounts doesn't help, yeah, you are
> stuck, sorry.
Not that it helps now, but it looks like nfs_compare_mount_options()
needs to be made security-aware so that it doesn't try sharing
superblocks when there are different security options.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list