-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Murray McAllister wrote:
> Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-10-22 at 15:23 +1000, Murray McAllister wrote:
>
>>>> Depending on policy configuration, services, such as Apache HTTP
>>>> Server and MySQL, may not be able to read files labeled with the
>>>> nfs_t type. This prevents an NFS file system being mounted and then
>>>> read or exported by another service.
>>> Might be booleans that control this area as well; I don't know offhand.
>>>
>> /usr/sbin/getsebool -a shows the following booleans available to use
>> nfs, "use_nfs_home_dirs" allows all domains that need access to
>> homedirs, access to nfs_t.
> Do other Booleans have to be turned on? I do not understand the output
> of sesearch -C, for example:
>
> DT allow httpd_t nfs_t : file { ioctl read getattr lock } ; [
> httpd_enable_homedirs use_nfs_home_dirs && ]
Good question, I don't know. Yes both booleans have to be turned on in
RHEL5.
>
> I guess this means both Booleans have to be turned on for the allow rule
> to work?
>
> Stupid question: what do "DT" and "ET" stand for?
>
> Thanks.
> (cifs_t samba filesystems) have similar
>> booleans.
>> allow_ftpd_use_nfs --> off
>> httpd_use_nfs --> off
>> qemu_use_nfs --> on
>> samba_share_nfs --> off
>> use_nfs_home_dirs --> on
>> virt_use_nfs --> off
>> xen_use_nfs --> off
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
> with
> the words "unsubscribe selinux" without quotes as the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkHop4ACgkQrlYvE4MpobN5nQCeKA/EESk/Ga0vs6Jl6JO9KIsL
TfwAnjgxzu+QQXRWELbJ6uCHA6jfodA6
=+pFc
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
