Re: Unable to create files when using "context"option for NFS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert Bottomley wrote:
In FC3 (running kernel 2.6.11-1.27_FC3smp and selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use by Apache. In /etc/fstab, I have:
ozone:/usr/local/svn /svn nfs rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 0 0
Any attempts to create a file in /svn are met with (here I was attempting a "touch x"): 


We don't have a good solution for this.
audit(1117233333.027:0): avc: denied { associate } for pid=12795 exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
It does not matter what context I specify, I cannot create a file -- even though my shell is running as unconfined_t. (If a file already exists, I can edit it.) 

So the questions are:
1. Is this a bug? Should I not be able to create a file when running in the unconfined_t context? 

2. Audit2allow tells me that I need to add:
"


You can install policy sources (selinux-policy-targeted-sources)

cd /etc/selinux/targeted/src/policy
echo "allow httpd_sys_script_rw_t self:filesystem associate;" >> domains/misc/local.te 
make load
And try it out. It should work. The problem for us is how to generalize this solution. 

Dan
but if unconfined_t context cannot write, then will something in httpd_sys_script_rw_t be able to? 

sestatus
========

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           inactive
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive




--


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux