Daniel J Walsh wrote:
Stephen Smalley wrote:
On Wed, 2008-10-22 at 15:23 +1000, Murray McAllister wrote:
Depending on policy configuration, services, such as Apache HTTP
Server and MySQL, may not be able to read files labeled with the nfs_t
type. This prevents an NFS file system being mounted and then read or
exported by another service.
Might be booleans that control this area as well; I don't know offhand.
/usr/sbin/getsebool -a shows the following booleans available to use
nfs, "use_nfs_home_dirs" allows all domains that need access to
homedirs, access to nfs_t.
Do other Booleans have to be turned on? I do not understand the output
of sesearch -C, for example:
DT allow httpd_t nfs_t : file { ioctl read getattr lock } ; [
httpd_enable_homedirs use_nfs_home_dirs && ]
I guess this means both Booleans have to be turned on for the allow rule
to work?
Stupid question: what do "DT" and "ET" stand for?
Thanks.
(cifs_t samba filesystems) have similar
booleans.
allow_ftpd_use_nfs --> off
httpd_use_nfs --> off
qemu_use_nfs --> on
samba_share_nfs --> off
use_nfs_home_dirs --> on
virt_use_nfs --> off
xen_use_nfs --> off
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
