> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: 16 April 2012 16:26 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 04/16/2012 05:37 AM, Moray Henderson wrote: > > (sorry - my reply didn't get copied to the list) > > > >> -----Original Message----- From: Daniel J Walsh > >> [mailto:dwalsh@xxxxxxxxxx] Sent: 13 April 2012 17:52 > >>> > >>> I can do this: > >>> > >>> [root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon > >>> unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce > 1 > >>> [root@kojihub ~]# id uid=0(root) gid=0(root) > >>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > >>> context=unconfined_u:system_r:httpd_t:s0 > > > > (those lines should not have joined - 2 spaces at the beginning of > each > > line are supposed to prevent an email client "helpfully" removing > line > > breaks) > > > >>> However, I think I have a problem. My nfs server has to have > SELinux > >>> disabled for other reasons, so I can't set nfs_export_all_rw there. > >> It has > >>> to be on the nfs server, doesn't it? Even if I set everything in > the > >> tree > >>> I'm exporting to public_content_rw_t on the server and unmount and > >> remount > >>> the client filesystem everything still comes out as nfs_t. Is that > >> because > >>> it's not getting the proper information from the nfs server? > >>> > >>> Other than leaving my Koji server in permissive mode or using > >>> httpd_disable_trans=1 (if that works on CentOS 6), is there a way > to > >> make > >>> this work? If not, I'll have to rearrange some disk space. > >>> > >>> > >>> Moray. “To err is human; to purr, feline.” > >>> > >>> > >>> > >>> > >> The remove client does not have to have SELinux enabled or not. Lets > step > >> back to the beginning, what problem are you trying to solve? > >> > >> SELinux is enforced at the client side, so it treats all files as > nfs_t. > >> If you are trying to share content on an NFS Server using apache, > you > >> have to turn on a couple of booleans depending on the OS you are > running > >> SELinux on. > > > > My apache server is on the nfs client machine. That machine does not > have > > enough disk space, so I was hoping to have it write to a filesystem > mounted > > from another machine. The machine that I was trying to use as the > nfs > > server has lots of disk space, but has to have SELinux disabled. > > > > > > Moray. “To err is human; to purr, feline.” > > > > > > > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > You do not need runcon. you need to mount the nfs share with a context > mount > Something like > > mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s0" > remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT > > Or you can turn on the httpd_use_nfs boolean > > setsebool -P httpd_use_nfs 1 > > If that boolean does not exist you could turn on. > > setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1 Ah, THAT's how it's done! Thank you. (I was relying on CentOS 5 man pages, which don't mention httpd_use_nfs.) Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
