[Linux-cluster] RHEL4.5, GFS and selinux, are they playing nice?
Roger Peña
orkcu at yahoo.com
Wed Sep 12 01:42:32 UTC 2007
Hello everybody ;-)
I keep working in making a web cluster play nice after
the upgrade from RHEL4.4 -> RHEL4.5
with this upgrade, the relation httpd-selinux become
more strict, my first problem came when the RHGFS4.4
do not support xattr (our web content is in a gfs
filesystem) so I must update RHGFS and RHCS to 4.5
(from centos recompilation)
so now I have support to xattr in ours GFS filesystems
but, here is the problem:
the httpd do not want to start because some config
files (witch reside in another GFS filesystem) have a
forbidden context (httpd can not read file with that
context) (those files are included from the main
apache configuration)
even if I change the context and ls -Z show me that I
change the context for every parent and final dir in
the GFS filesystem.
here are the error from selinux:
{ search } for pid=2289 comm="httpd" name="/"
dev=dm-7 ino=25
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t
tclass=dir
as you can see, selinux is dening access to httpd
process to make a search in / (root of the filesystem
in device dm-7), with inode 25 and that inode is a
directory, it deny access because the context of that
directory is system_u:object_r:nfs_t
am I right?
but, that directory is /opt/soft:
ll -di /opt/soft/
25 drwxr-xr-x 8 root root 3864 Sep 11 2007
/opt/soft/
^^ <--- this is the inode
and it context is system_u:object_r:httpd_config_t:
ll -dZ /opt/soft/
drwxr-xr-x root root
system_u:object_r:httpd_config_t /opt/soft/
so, who is wrong? ls -Z or "global selinux kernel
module" ?
because ls -Z show that the context of that directory
is system_u:object_r:httpd_config_t
if I set selinux to be in permissive mode, then apache
can start, of course, but with some complains like
this:
Sep 11 14:18:08 blade26 kernel:
audit(1189534688.151:38): avc: denied { search } for
pid=2333 comm="httpd" name="/" dev=dm-7 ino=25
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t tclass=dir
Sep 11 14:18:08 blade26 kernel:
audit(1189534688.155:39): avc: denied { getattr }
for pid=2333 comm="httpd" name="apache" dev=dm-7
ino=31
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t tclass=dir
Sep 11 14:18:08 blade26 kernel:
audit(1189534688.155:40): avc: denied { read } for
pid=2333 comm="httpd" name="apache" dev=dm-7 ino=31
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t tclass=dir
Sep 11 14:18:08 blade26 kernel:
audit(1189534688.158:41): avc: denied { getattr }
for pid=2333 comm="httpd" name="httpd.conf" dev=dm-7
ino=484983 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t tclass=file
Sep 11 14:18:08 blade26 kernel:
audit(1189534688.158:42): avc: denied { read } for
pid=2333 comm="httpd" name="httpd.conf" dev=dm-7
ino=484983 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t tclass=file
this mean:
access deny to do
1- search in /opt/soft
2- getattr and read directory /opt/soft/conf/apache
3- getattr and read file httpd.conf
but:
all this files or directory has context
system_u:object_r:httpd_config_t
ll -dZ /opt/soft/conf/apache/
drwxr-xr-x root root system_u:object_r:httpd_config_t
/opt/soft/conf/apache/
ll -di /opt/soft/conf/apache/
31 drwxr-xr-x 2 root root 3864 Sep 11 09:44
/opt/soft/conf/apache/
is this related to the fact that selinux policy stated
this:
genfscon gfs / system_u:object_r:nfs_t
what do you recomment to solve this complains of
selinux?
mount the gfs filesystem with the option fscontext ?
but that filesystem has other stuff, not related with
apache, so, what context should I use?
thanks
roger
__________________________________________
RedHat Certified ( RHCE )
Cisco Certified ( CCNA & CCDA )
____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html
More information about the Linux-cluster
mailing list