Re: httpd_use_nfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Oct 04, 2010 at 11:15:19AM +0200, joe wrote:
> 
> On Sun, 2010-10-03 at 22:57 +0200, Dominick Grift wrote:
> > On Sun, Oct 03, 2010 at 10:39:41PM +0200, joe wrote:
> > > 
> > > Hi
> > > 
> > > I have Apache httpd running on F12 system, serving files from NFS
> > > mount. I'm wondering if this shouldn't be restricted by boolean
> > > "httpd_use_nfs  -> off   Allow httpd to access nfs file systems"?
> > > Or is that a misunderstanding? 
> > > 
> > > Files on NFS mount shows context system_u:object_r:nfs_t:s0
> > 
> > 
> > $ sesearch --allow -SC -s httpd_t -t nfs_t
> > Found 10 semantic av rules:
> >    allow httpd_t file_type : filesystem getattr ; 
> >    allow httpd_t filesystem_type : filesystem getattr ; 
> > DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> > DT allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> > DT allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_use_nfs ]
> > DT allow httpd_t nfs_t : dir { getattr search open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> > DT allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> > DT allow httpd_t nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_use_nfs ]
> > DT allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> > DT allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_use_nfs ]
> > 
> > As far as i can see in the above output, access by httpd_t to nfs_t is allowed only when httpd_use_nfs is set, and this is expected behaviour.
> > 
> > What AVC denials are you seeying?
> > > 
> 
> Not seeing AVC denials as the access is allowed. Thats why I was
> wondering if the boolean was working as intended since its set to off.
> 
> The same sesearch om my system:
> Found 10 semantic av rules:
>    allow httpd_t file_type : filesystem getattr ; 
>    allow httpd_t filesystem_type : filesystem getattr ; 
> DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> ET allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_use_nfs ]
> DT allow httpd_t nfs_t : dir { getattr search open } ; [ httpd_enable_cgi httpd_use_nfs && ]
> ET allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_use_nfs ]
> ET allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
> DT allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_use_nfs ]
> 
> Not sure what DT/ET means.

Enable tunable/Disable tunable (at least thats how i interpret it.)

Looks like you have both httpd_enable_homedirs as well as usr_nfs_home_dirs boolean set to true that provides read access to nfs_t.


> 
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: pgpS9vHKjOQT3.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux