selinux context disappear after nfs mount

Daniel J Walsh dwalsh at redhat.com
Wed Oct 8 11:37:12 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fabrizio Buratta wrote:
> Hi everybody.
> 
> I'm trying to mount an nfs server ( a raid5 nas ) on my centos4.
> Afterward i want
> a script inside apache cgi-bin directory to be able to do any file and
> dir operations.
> 
> Let's say i want a context capable of apache r/w operations on my
> mount dir, then i execute:
> 
> mount -t nfs -o context=system_u:object_r:httpd_sys_script_rw_t
> mynas:/external_dir /mnt/my_mount_dir
> 
> it does mount my external dir but if i execute ls -Z i see:
> 
> drwxrwxrwx  254      254                                       storage
> 
> Where's my context? obviously my script is not able to write on this
> directory and selinux complains:
> 
> type=AVC msg=audit(1223458283.439:3794033): avc:  denied  { getattr }
> for  pid=21669 comm="python" name="var" dev=dm-0 ino=261121
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_t tclass=dir
> type=SYSCALL msg=audit(1223458283.439:3794033): arch=40000003
> syscall=196 success=no exit=-13 a0=bfed2bd0 a1=bfed1f0c a2=3bfff4
> a3=bfed2bd0 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> type=AVC_PATH msg=audit(1223458283.439:3794033):  path="/var"
> type=CWD msg=audit(1223458283.439:3794033):  cwd="/var/www/cgi-bin"
> type=PATH msg=audit(1223458283.439:3794033): name="/var" flags=0
> inode=261121 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1223458286.050:3794034): avc:  denied  { search }
> for  pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:mnt_t tclass=dir
> type=SYSCALL msg=audit(1223458286.050:3794034): arch=40000003
> syscall=195 success=no exit=-13 a0=9294de8 a1=bfed2610 a2=3bfff4
> a3=b7e5014c items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> type=CWD msg=audit(1223458286.050:3794034):  cwd="/var/www/cgi-bin"
> type=PATH msg=audit(1223458286.050:3794034):
> name="/mnt/storage/nightly/testfile" flags=1  inode=718081 dev=fd:00
> mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1223458286.051:3794035): avc:  denied  { search }
> for  pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:mnt_t tclass=dir
> type=SYSCALL msg=audit(1223458286.051:3794035): arch=40000003
> syscall=5 success=no exit=-13 a0=9294de8 a1=8241 a2=1b6 a3=8241
> items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> type=CWD msg=audit(1223458286.051:3794035):  cwd="/var/www/cgi-bin"
> type=PATH msg=audit(1223458286.051:3794035):
> name="/mnt/storage/nightly/testfile" flags=310  inode=718081 dev=fd:00
> mode=040755 ouid=0 ogid=0 rdev=00:00
> 
> Of course i'm using a python script.
> Until now i did not try to compile a local selinux policy   in order
> to allow that kind of operations ( i would avoid it if possible )
> 
> Any suggestion?
> 
> Thanks,
> Fab.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You have two problems.

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t mnt_t:dir search;

You need to load a custom policy to allow you cgi scripts to read
through the /mnt directory

allow httpd_sys_script_t var_t:dir getattr;

This one does not make sense this rule should be allowed in all default
policies?  What policy are you running.  Apache scripts should be able
to search/getattr on var_t in order to use /var/www/

Neither of these avc's are much of a security risk to allow.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5
HX4An26oG117iKH1aqsETEWJw9CrfiUf
=cY7A
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list