Re: Running httpd scripts from nfs mounts?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2005-01-27 at 15:49 -0500, John W. Lockhart wrote:
> Stephen Smalley wrote:
> > On Thu, 2005-01-27 at 11:25, John W. Lockhart wrote:
> > 
> >>Aha!  It is indeed mounted nosuid:
> >>rw,nosuid,nodev,noatime,rsize=8192,wsize=8192,bg,intr,soft,context=system_u:object_r:httpd_sys_content_t
> 
> > Not clear you want to just remove nosuid, as that obviously has other
> > security implications.  If policy allowed httpd_t to set its exec
> > context, then you could use a wrapper script that just does a runcon -t
> > httpd_sys_script_t <realscript> to manually transition to the new
> > domain.
> 
> For now, since the nfs server contains trusted materials, I got rid of the
> nosuid.  Got a little farther, but hit:
> 
> kernel: audit(1106858631.779:0): avc:  denied  { search } for  pid=22886
> exe=/usr/bin/perl name=mnt dev=dm-0 ino=3932161
> scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:mnt_t
> tclass=dir

Wouldn't be harmful to allow by default, I think.


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux