On Sun, 2010-10-03 at 22:57 +0200, Dominick Grift wrote:
> On Sun, Oct 03, 2010 at 10:39:41PM +0200, joe wrote:
> >
> > Hi
> >
> > I have Apache httpd running on F12 system, serving files from NFS
> > mount. I'm wondering if this shouldn't be restricted by boolean
> > "httpd_use_nfs -> off Allow httpd to access nfs file systems"?
> > Or is that a misunderstanding?
> >
> > Files on NFS mount shows context system_u:object_r:nfs_t:s0
>
>
> $ sesearch --allow -SC -s httpd_t -t nfs_t
> Found 10 semantic av rules:
> allow httpd_t file_type : filesystem getattr ;
> allow httpd_t filesystem_type : filesystem getattr ;
> DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> DT allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_use_nfs ]
> DT allow httpd_t nfs_t : dir { getattr search open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> DT allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_use_nfs ]
> DT allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_use_nfs ]
>
> As far as i can see in the above output, access by httpd_t to nfs_t is allowed only when httpd_use_nfs is set, and this is expected behaviour.
>
> What AVC denials are you seeying?
> >
Not seeing AVC denials as the access is allowed. Thats why I was
wondering if the boolean was working as intended since its set to off.
The same sesearch om my system:
Found 10 semantic av rules:
allow httpd_t file_type : filesystem getattr ;
allow httpd_t filesystem_type : filesystem getattr ;
DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
ET allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_use_nfs ]
DT allow httpd_t nfs_t : dir { getattr search open } ; [ httpd_enable_cgi httpd_use_nfs && ]
ET allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_use_nfs ]
ET allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_use_nfs ]
Not sure what DT/ET means.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
