On Sat, 2007-12-08 at 11:41 -0500, Johnny Tan wrote: > I have a NFS mount that I want apache to be able to serve > files from. > > According to this doc: > http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/ch45s02s03.html > > I should be able to mount it with a context that will allow > apache to access it. > > But when I try the suggested command: > > [root@vm-37:~] mount -t nfs -o \ > context=system_u:object_r:httpd_sys_content_t \ > 192.168.1.100:/data/test /mnt/test What kernel messages in /var/log/messages did you get when you ran this command? Did you already have a mount from the same server/filesystem when you tried doing this? If so, unmount those first and try again - context mounts are limited to one per superblock. > It *does* mount, but when I do: > [root@vm-37:~]# ls -lZ /mnt > drwxr-xr-x 65534 65534 system_u:object_r:nfs_t test > > It doesn't show the correct context. > > (I don't know if it matters that I don't have a user with > UID 65534, only the remote NFS server has that.) > > > And sure enough, apache still can't serve from it. I see > this in /var/log/messages: > Dec 7 17:30:14 vm-37 kernel: audit(1197066614.787:240): > avc: denied { search } for pid=18066 comm="httpd" name= > "" dev=0:14 ino=4301717509 scontext=root:system_r:httpd_t:s0 > tcontext=system_u:object_r:nfs_t:s0 tclass=dir > Dec 7 17:30:14 vm-37 kernel: audit(1197066614.787:241): > avc: denied { getattr } for pid=18066 comm="httpd" name > ="" dev=0:14 ino=4301717509 > scontext=root:system_r:httpd_t:s0 > tcontext=system_u:object_r:nfs_t:s0 tclass=dir > > When I "setenforce 0", it works. But I want SELinux. > > > Granted, I could do: > allow httpd_t nfs_t:dir { search getattr }; > > Well, actually, I haven't tried it but I'm guessing that > that will work. The problem is that I have other nfs > directories that I don't want httpd to access, even > accidentally if we ever point httpd at those directories. > > So... any ideas on the nfs mount with the context option? > > > I'm running CentOS-5.1 with latest updates of everything. > > johnn > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
