[Linux-cluster] RHEL4.5, GFS and selinux, are they playing nice?

Wed Sep 12 01:42:32 UTC 2007

Hello everybody ;-)

I keep working in making a web cluster play nice after
the upgrade from RHEL4.4 -> RHEL4.5 
with this upgrade, the relation httpd-selinux become
more strict, my first problem came when the RHGFS4.4
do not support xattr (our web content is in a gfs
filesystem) so I must update RHGFS and RHCS to 4.5
(from centos recompilation)

so now I have support to xattr in ours GFS filesystems
but, here is the problem:
the httpd do not want to start because some config
files (witch reside in another GFS filesystem) have a
forbidden context (httpd can not read file with that
context) (those files are included from the main
apache configuration)
even if I change the context and ls -Z show me that I
change the context for every parent and final dir in
the GFS filesystem.
here are the error from selinux:
{ search } for  pid=2289 comm="httpd" name="/"
dev=dm-7 ino=25  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  
tclass=dir

as you can see, selinux is dening access to httpd
process to make a search in / (root of the filesystem
in device dm-7), with inode 25 and that inode is a
directory, it deny access because the context of that
directory is system_u:object_r:nfs_t 
 am I right?

but, that directory is /opt/soft:
ll -di /opt/soft/
25 drwxr-xr-x  8 root root 3864 Sep 11  2007
/opt/soft/
^^ <--- this is the inode

and it context is system_u:object_r:httpd_config_t:
ll -dZ /opt/soft/
drwxr-xr-x  root     root    
system_u:object_r:httpd_config_t /opt/soft/

so, who is wrong? ls -Z or "global selinux kernel
module" ?
because ls -Z show that the context of that directory
is system_u:object_r:httpd_config_t

if I set selinux to be in permissive mode, then apache
can start, of course, but with some complains like
this:

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.151:38): avc:  denied  { search } for
 pid=2333 comm="httpd" name="/" dev=dm-7 ino=25  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  tclass=dir

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.155:39): avc:  denied  { getattr }
for  pid=2333 comm="httpd" name="apache" dev=dm-7
ino=31  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  tclass=dir

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.155:40): avc:  denied  { read } for 
pid=2333 comm="httpd" name="apache" dev=dm-7 ino=31  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  tclass=dir

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.158:41): avc:  denied  { getattr }
for  pid=2333 comm="httpd" name="httpd.conf" dev=dm-7 

ino=484983 scontext=root:system_r:httpd_t  
tcontext=system_u:object_r:nfs_t tclass=file

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.158:42): avc:  denied  { read } for 
pid=2333 comm="httpd" name="httpd.conf" dev=dm-7  
ino=484983 scontext=root:system_r:httpd_t  
tcontext=system_u:object_r:nfs_t tclass=file

this mean:
access deny to do 
1- search in /opt/soft
2- getattr and read directory /opt/soft/conf/apache
3- getattr and read file httpd.conf

but:
all this files or directory has context 
system_u:object_r:httpd_config_t 

ll -dZ /opt/soft/conf/apache/
drwxr-xr-x  root root system_u:object_r:httpd_config_t

/opt/soft/conf/apache/

ll -di /opt/soft/conf/apache/
31 drwxr-xr-x  2 root root 3864 Sep 11 09:44
/opt/soft/conf/apache/

is this related to the fact that selinux policy stated
this:
genfscon gfs /                 system_u:object_r:nfs_t

what do you recomment to solve this complains of
selinux?
mount the gfs filesystem with the option fscontext ?

but that filesystem has other stuff, not related with
apache, so, what context should I use?

thanks
roger

__________________________________________
RedHat Certified ( RHCE )
Cisco Certified ( CCNA & CCDA )

      ____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html