On 04/13/2012 10:39 AM, Moray Henderson (ICT) wrote: > I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_ > useful to be able to execute commands in context httpd_t while trying out > combinations of the nfs_export_all_rw Boolean and public_content_rw_t > type. > > If I can do > > [root@kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash > [root@kojihub ~]# exit > > why can't I do > > [root@kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash runcon: > invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid argument > Because httpd_t is not allowed to run as the unconfined_r and bash is not an entrypoint for the httpd_t domain. You can write policy for this, but basically SELinux expects the transitions to work like unconfined_t @initrc_exec_t -> initrc_t @ httpd_exec_t -> httpd_t You can do runcon -t initrc_t -r system_r id -Z staff_u:system_r:initrc_t:s0-s0:c0.c1023 But sadly runcon -t initrc_t -r system_r runcon -t httpd_t id -Z runcon: invalid context: staff_u:system_r:httpd_t:s0-s0:c0.c1023: Permission denied Still fails because of you are missing these rules #============= httpd_t ============== allow httpd_t bin_t:file entrypoint; #============= initrc_t ============== allow initrc_t self:process setexec; You can do the following # cat /usr/bin/httpd.sh #!/bin/sh id -Z chmod +x /usr/bin/httpd.sh # chcon -t httpd_exec_t /usr/bin/httpd.sh # runcon -t initrc_t -r system_r sh -c /bin/httpd.sh # staff_u:system_r:httpd_t:s0-s0:c0.c1023 > The actual issue is that I've set up a new koji hub with /mnt/koji on an > nfs mount; with SELinux in permissive mode I get > > AVC Report ======================================================== # date > time comm subj syscall class permission obj event > ======================================================== 1. 04/13/2012 > 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr > system_u:object_r:nfs_t:s0 denied 494 2. 04/13/2012 14:23:36 httpd > unconfined_u:system_r:httpd_t:s0 4 dir search system_u:object_r:nfs_t:s0 > denied 493 3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 > dir write system_u:object_r:nfs_t:s0 denied 495 4. 04/13/2012 14:23:36 > httpd unconfined_u:system_r:httpd_t:s0 83 dir add_name > system_u:object_r:nfs_t:s0 denied 495 5. 04/13/2012 14:23:36 httpd > unconfined_u:system_r:httpd_t:s0 83 dir create > unconfined_u:object_r:nfs_t:s0 denied 495 6. 04/13/2012 14:23:36 httpd > unconfined_u:system_r:httpd_t:s0 2 file create > unconfined_u:object_r:nfs_t:s0 denied 496 7. 04/13/2012 14:23:36 httpd > unconfined_u:system_r:httpd_t:s0 2 file open system_u:object_r:nfs_t:s0 > denied 496 > > > Moray. "To err is human; to purr, feline." > > > > > OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3 > 0JG - United Kingdom Charity reg no: 1112655 - Company reg no: 5649412 > (England and Wales) > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
