Ian Pilcher wrote:
Daniel J Walsh wrote:
Look for AVC Messages in the /var/log/messages file.
I should have posted those before. Here is an example of what happens when httpd tries to access the reiserfs filesystem:
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied { search } for pid=9106 exe=/usr/sbin/httpd dev=md5 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied { getattr } for pid=9106 exe=/usr/sbin/httpd path=/mnt/music1 dev=md5 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir
You can run audit2allow -l -i /var/log/messages
Here's what audit2allow says about it:
allow httpd_t bin_t:lnk_file { read }; allow httpd_t nfs_t:dir { getattr search }; allow httpd_t user_home_t:file { getattr read };
They you can customize policy to allow these.
To my *very* inexpert eye, it looks like audit2allow is telling me to loosen the restrictions on httpd. I suppose that this is an option (as turning SELinux off entirely for httpd), but I really want to figure out what contexts I need to add the the music filesystems to make them accessible by httpd under the present policy.
Thanks!
Try the policy on ftp://people.redhat.com/dwalsh/SELinux/ FC3
selinux-policy-targeted-1.17.30-2.23
This is a preview of the one that will be in update 1. It has allow rules for the NFS partition.
Dan
