On Sun, Oct 03, 2010 at 10:39:41PM +0200, joe wrote:
>
> Hi
>
> I have Apache httpd running on F12 system, serving files from NFS
> mount. I'm wondering if this shouldn't be restricted by boolean
> "httpd_use_nfs -> off Allow httpd to access nfs file systems"?
> Or is that a misunderstanding?
>
> Files on NFS mount shows context system_u:object_r:nfs_t:s0
$ sesearch --allow -SC -s httpd_t -t nfs_t
Found 10 semantic av rules:
allow httpd_t file_type : filesystem getattr ;
allow httpd_t filesystem_type : filesystem getattr ;
DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
DT allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_use_nfs ]
DT allow httpd_t nfs_t : dir { getattr search open } ; [ httpd_enable_cgi httpd_use_nfs && ]
DT allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_use_nfs ]
DT allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_use_nfs ]
As far as i can see in the above output, access by httpd_t to nfs_t is allowed only when httpd_use_nfs is set, and this is expected behaviour.
What AVC denials are you seeying?
>
> Regards
> Jens
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgp_bqwjUrPUr.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
