On Mon, Oct 04, 2010 at 11:15:19AM +0200, joe wrote:
>
> On Sun, 2010-10-03 at 22:57 +0200, Dominick Grift wrote:
> > On Sun, Oct 03, 2010 at 10:39:41PM +0200, joe wrote:
> > >
> > > Hi
> > >
> > > I have Apache httpd running on F12 system, serving files from NFS
> > > mount. I'm wondering if this shouldn't be restricted by boolean
> > > "httpd_use_nfs -> off Allow httpd to access nfs file systems"?
> > > Or is that a misunderstanding?
> > >
> > > Files on NFS mount shows context system_u:object_r:nfs_t:s0
> >
> >
> > $ sesearch --allow -SC -s httpd_t -t nfs_t
> > Found 10 semantic av rules:
> > allow httpd_t file_type : filesystem getattr ;
> > allow httpd_t filesystem_type : filesystem getattr ;
> > DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> > DT allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> > DT allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_use_nfs ]
> > DT allow httpd_t nfs_t : dir { getattr search open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> > DT allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> > DT allow httpd_t nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_use_nfs ]
> > DT allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> > DT allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_use_nfs ]
> >
> > As far as i can see in the above output, access by httpd_t to nfs_t is allowed only when httpd_use_nfs is set, and this is expected behaviour.
> >
> > What AVC denials are you seeying?
> > >
>
> Not seeing AVC denials as the access is allowed. Thats why I was
> wondering if the boolean was working as intended since its set to off.
>
> The same sesearch om my system:
> Found 10 semantic av rules:
> allow httpd_t file_type : filesystem getattr ;
> allow httpd_t filesystem_type : filesystem getattr ;
> DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> ET allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_use_nfs ]
> DT allow httpd_t nfs_t : dir { getattr search open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> ET allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_use_nfs ]
> ET allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_use_nfs ]
>
> Not sure what DT/ET means.
Enable tunable/Disable tunable (at least thats how i interpret it.)
Looks like you have both httpd_enable_homedirs as well as usr_nfs_home_dirs boolean set to true that provides read access to nfs_t.
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpS9vHKjOQT3.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
