On Wed, Oct 06, 2010 at 06:26:01PM -0400, m.roth@xxxxxxxxx wrote:
> Can someone give me a pointer as to where I need to start? On the server
> the directory is physically on, I've set a bunch of cgi scripts to
> httpd_sys_script_exec_t, and restarted nfs. Then I did the same on the
> server mounting that directory... and the scripts show as nfs_t. getsebool
> -a | grep nfs shows
> allow_ftpd_use_nfs --> off
> allow_nfsd_anon_write --> off
> httpd_use_nfs --> on
> nfs_export_all_ro --> on
> nfs_export_all_rw --> on
> nfsd_disable_trans --> off
> qemu_use_nfs --> on
> samba_share_nfs --> off
> use_nfs_home_dirs --> on
> virt_use_nfs --> off
>
> So, what do I need to do to get rid of the AVCs (yeah, we're in permissive
> mode)?
This is what sesearch tells me:
$ sesearch --allow -SC -s httpd_t -t nfs_t -c file -p execute
Found 1 semantic av rules:
DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
$ sesearch --allow -SC -s httpd_t -t httpd_sys_script_t | grep nfs
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_nfs && ]
When booleans httpd_enable_cgi and httpd_use_nfs are both set to true, then httpd_t will transition to httpd_sys_script_t when it executes an entry_file with type nfs_t:
httpd_t(apache) -> nfs_t(type of cgi script on nfs) -> httpd_sys_script_t(type of nfs cgi script process)
>
> mark
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpL2q4vwsfTr.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
