RHEL4.5, GFS and selinux, are they playing nice?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello everybody ;-)

I keep working in making a web cluster play nice after
the upgrade from RHEL4.4 -> RHEL4.5 
with this upgrade, the relation httpd-selinux become
more strict, my first problem came when the RHGFS4.4
do not support xattr (our web content is in a gfs
filesystem) so I must update RHGFS and RHCS to 4.5
(from centos recompilation)

so now I have support to xattr in ours GFS filesystems
but, here is the problem:
the httpd do not want to start because some config
files (witch reside in another GFS filesystem) have a
forbidden context (httpd can not read file with that
context) (those files are included from the main
apache configuration)
even if I change the context and ls -Z show me that I
change the context for every parent and final dir in
the GFS filesystem.
here are the error from selinux:
{ search } for  pid=2289 comm="httpd" name="/"
dev=dm-7 ino=25  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  
tclass=dir

as you can see, selinux is dening access to httpd
process to make a search in / (root of the filesystem
in device dm-7), with inode 25 and that inode is a
directory, it deny access because the context of that
directory is system_u:object_r:nfs_t 
 am I right?

but, that directory is /opt/soft:
ll -di /opt/soft/
25 drwxr-xr-x  8 root root 3864 Sep 11  2007
/opt/soft/
^^ <--- this is the inode

and it context is system_u:object_r:httpd_config_t:
ll -dZ /opt/soft/
drwxr-xr-x  root     root    
system_u:object_r:httpd_config_t /opt/soft/

so, who is wrong? ls -Z or "global selinux kernel
module" ?
because ls -Z show that the context of that directory
is system_u:object_r:httpd_config_t

if I set selinux to be in permissive mode, then apache
can start, of course, but with some complains like
this:

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.151:38): avc:  denied  { search } for
 pid=2333 comm="httpd" name="/" dev=dm-7 ino=25  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  tclass=dir

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.155:39): avc:  denied  { getattr }
for  pid=2333 comm="httpd" name="apache" dev=dm-7
ino=31  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  tclass=dir

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.155:40): avc:  denied  { read } for 
pid=2333 comm="httpd" name="apache" dev=dm-7 ino=31  
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t  tclass=dir

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.158:41): avc:  denied  { getattr }
for  pid=2333 comm="httpd" name="httpd.conf" dev=dm-7 

ino=484983 scontext=root:system_r:httpd_t  
tcontext=system_u:object_r:nfs_t tclass=file

Sep 11 14:18:08 blade26 kernel:
audit(1189534688.158:42): avc:  denied  { read } for 
pid=2333 comm="httpd" name="httpd.conf" dev=dm-7  
ino=484983 scontext=root:system_r:httpd_t  
tcontext=system_u:object_r:nfs_t tclass=file

this mean:
access deny to do 
1- search in /opt/soft
2- getattr and read directory /opt/soft/conf/apache
3- getattr and read file httpd.conf

but:
all this files or directory has context 
system_u:object_r:httpd_config_t 

ll -dZ /opt/soft/conf/apache/
drwxr-xr-x  root root system_u:object_r:httpd_config_t
 
/opt/soft/conf/apache/

ll -di /opt/soft/conf/apache/
31 drwxr-xr-x  2 root root 3864 Sep 11 09:44
/opt/soft/conf/apache/


is this related to the fact that selinux policy stated
this:
genfscon gfs /                 system_u:object_r:nfs_t

what do you recomment to solve this complains of
selinux?
mount the gfs filesystem with the option fscontext ?

but that filesystem has other stuff, not related with
apache, so, what context should I use?


thanks
roger


__________________________________________
RedHat Certified ( RHCE )
Cisco Certified ( CCNA & CCDA )


      ____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html
 


--
Linux-cluster mailing list
Linux-cluster@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cluster

[Index of Archives]     [Corosync Cluster Engine]     [GFS]     [Linux Virtualization]     [Centos Virtualization]     [Centos]     [Linux RAID]     [Fedora Users]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Camping]

  Powered by Linux