On Sun, 2005-09-04 at 11:10 -0700, Ben wrote: > I'm trying to use NFS to make a bunch of images available for apache. > SELinux on the apache server seems to be getting in the way, and this > time I think it really is SELinux, because apache can serve the > images just fine when I'm not enforcing. When I turn on enforcing, I > get permission denied messages. > > Unfortunately, there are no avc messages being generated, even when I > follow the steps listed out here: > > http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2827008 Just in case you don't know it already, in FC4, audit messages are now directed to a separate audit daemon (auditd) and logged to /var/log/audit/audit.log rather than being handled by klogd/syslogd and going to /var/log/messages. So you need to look in audit.log for any denials. > I suspect the issue might have something to do with there being no > SELinux attributes on the files in my image directory.... but without > any avc messages, it's hard to tell. > > Interestingly, even when I am enforcing, I can copy and read the > files.... just not with apache. Yes, that would make sense, as user sessions are unrestricted by the targeted policy (they are in unconfined_t, e.g. see the output of id -Z). Targeted policy only tries to control specific daemons. This may be affected by one of the policy booleans, e.g. /usr/sbin/getsebool -a | grep httpd and /usr/sbin/getsebool -a | grep nfs. Other resources: man httpd_selinux man nfs_selinux -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
