On Tue, 2005-01-25 at 21:34 -0500, John W. Lockhart wrote:
> I'm trying to run scripts via httpd from a trusted nfs server,
> but selinux is preventing me:
>
> kernel: audit(1106703013.728:0): avc: denied { execute } for pid=28425
> exe=/usr/sbin/httpd name=sanity_server.pl dev=0:12 ino=32407792
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
> tclass=file
Yeah; we have a few booleans for NFS home dirs and the like, but it's
difficult to support arbitrarily placement of nfs_t in policy.
> So I umounted the nfs volume, and added the following to the
> mount options in /etc/fstab:
> context=system_u:object_r:httpd_sys_content_t
This is the best approach, IMO.
> I mounted the volume again, and re-tried. That failed with:
>
> kernel: audit(1106705663.904:0): avc: denied { execute_no_trans } for
> pid=28573 exe=/usr/sbin/httpd
> path=/mnt/myserver/testing-scripts/sanity_server.pl dev=0:12 ino=3
> 2407792 scontext=root:system_r:httpd_t
> tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Weird. What's the output of "getsebool httpd_unified"?
