-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/16/2012 05:37 AM, Moray Henderson wrote: > (sorry - my reply didn't get copied to the list) > >> -----Original Message----- From: Daniel J Walsh >> [mailto:dwalsh@xxxxxxxxxx] Sent: 13 April 2012 17:52 >>> >>> I can do this: >>> >>> [root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon >>> unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce 1 >>> [root@kojihub ~]# id uid=0(root) gid=0(root) >>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) >>> context=unconfined_u:system_r:httpd_t:s0 > > (those lines should not have joined - 2 spaces at the beginning of each > line are supposed to prevent an email client "helpfully" removing line > breaks) > >>> However, I think I have a problem. My nfs server has to have SELinux >>> disabled for other reasons, so I can't set nfs_export_all_rw there. >> It has >>> to be on the nfs server, doesn't it? Even if I set everything in the >> tree >>> I'm exporting to public_content_rw_t on the server and unmount and >> remount >>> the client filesystem everything still comes out as nfs_t. Is that >> because >>> it's not getting the proper information from the nfs server? >>> >>> Other than leaving my Koji server in permissive mode or using >>> httpd_disable_trans=1 (if that works on CentOS 6), is there a way to >> make >>> this work? If not, I'll have to rearrange some disk space. >>> >>> >>> Moray. “To err is human; to purr, feline.” >>> >>> >>> >>> >> The remove client does not have to have SELinux enabled or not. Lets step >> back to the beginning, what problem are you trying to solve? >> >> SELinux is enforced at the client side, so it treats all files as nfs_t. >> If you are trying to share content on an NFS Server using apache, you >> have to turn on a couple of booleans depending on the OS you are running >> SELinux on. > > My apache server is on the nfs client machine. That machine does not have > enough disk space, so I was hoping to have it write to a filesystem mounted > from another machine. The machine that I was trying to use as the nfs > server has lots of disk space, but has to have SELinux disabled. > > > Moray. “To err is human; to purr, feline.” > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux You do not need runcon. you need to mount the nfs share with a context mount Something like mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s0" remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT Or you can turn on the httpd_use_nfs boolean setsebool -P httpd_use_nfs 1 If that boolean does not exist you could turn on. setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+MOh8ACgkQrlYvE4MpobOaMQCghpYzzBhwzugsPsW+QKRJCgq3 vIgAnR9Grh40UUVgDwxSXEaw4rVaHPrB =K2qt -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
