-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fabrizio Buratta wrote:
> Hi everybody.
>
> I'm trying to mount an nfs server ( a raid5 nas ) on my centos4.
> Afterward i want
> a script inside apache cgi-bin directory to be able to do any file and
> dir operations.
>
> Let's say i want a context capable of apache r/w operations on my
> mount dir, then i execute:
>
> mount -t nfs -o context=system_u:object_r:httpd_sys_script_rw_t
> mynas:/external_dir /mnt/my_mount_dir
>
> it does mount my external dir but if i execute ls -Z i see:
>
> drwxrwxrwx 254 254 storage
>
> Where's my context? obviously my script is not able to write on this
> directory and selinux complains:
>
> type=AVC msg=audit(1223458283.439:3794033): avc: denied { getattr }
> for pid=21669 comm="python" name="var" dev=dm-0 ino=261121
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_t tclass=dir
> type=SYSCALL msg=audit(1223458283.439:3794033): arch=40000003
> syscall=196 success=no exit=-13 a0=bfed2bd0 a1=bfed1f0c a2=3bfff4
> a3=bfed2bd0 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> type=AVC_PATH msg=audit(1223458283.439:3794033): path="/var"
> type=CWD msg=audit(1223458283.439:3794033): cwd="/var/www/cgi-bin"
> type=PATH msg=audit(1223458283.439:3794033): name="/var" flags=0
> inode=261121 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1223458286.050:3794034): avc: denied { search }
> for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:mnt_t tclass=dir
> type=SYSCALL msg=audit(1223458286.050:3794034): arch=40000003
> syscall=195 success=no exit=-13 a0=9294de8 a1=bfed2610 a2=3bfff4
> a3=b7e5014c items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> type=CWD msg=audit(1223458286.050:3794034): cwd="/var/www/cgi-bin"
> type=PATH msg=audit(1223458286.050:3794034):
> name="/mnt/storage/nightly/testfile" flags=1 inode=718081 dev=fd:00
> mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1223458286.051:3794035): avc: denied { search }
> for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:mnt_t tclass=dir
> type=SYSCALL msg=audit(1223458286.051:3794035): arch=40000003
> syscall=5 success=no exit=-13 a0=9294de8 a1=8241 a2=1b6 a3=8241
> items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> type=CWD msg=audit(1223458286.051:3794035): cwd="/var/www/cgi-bin"
> type=PATH msg=audit(1223458286.051:3794035):
> name="/mnt/storage/nightly/testfile" flags=310 inode=718081 dev=fd:00
> mode=040755 ouid=0 ogid=0 rdev=00:00
>
> Of course i'm using a python script.
> Until now i did not try to compile a local selinux policy in order
> to allow that kind of operations ( i would avoid it if possible )
>
> Any suggestion?
>
> Thanks,
> Fab.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You have two problems.
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t mnt_t:dir search;
You need to load a custom policy to allow you cgi scripts to read
through the /mnt directory
allow httpd_sys_script_t var_t:dir getattr;
This one does not make sense this rule should be allowed in all default
policies? What policy are you running. Apache scripts should be able
to search/getattr on var_t in order to use /var/www/
Neither of these avc's are much of a security risk to allow.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5
HX4An26oG117iKH1aqsETEWJw9CrfiUf
=cY7A
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
