(sorry - my reply didn't get copied to the list)
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: 13 April 2012 17:52
I can do this:
[root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce 1 [root@kojihub ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:system_r:httpd_t:s0
(those lines should not have joined - 2 spaces at the beginning of each line are supposed to prevent an email client "helpfully" removing line breaks)
However, I think I have a problem. My nfs server has to have SELinux disabled for other reasons, so I can't set nfs_export_all_rw there.
It has
to be on the nfs server, doesn't it? Even if I set everything in the
tree
I'm exporting to public_content_rw_t on the server and unmount and
remount
the client filesystem everything still comes out as nfs_t. Is that
because
it's not getting the proper information from the nfs server?
Other than leaving my Koji server in permissive mode or using httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
make
this work? If not, I'll have to rearrange some disk space.
Moray. “To err is human; to purr, feline.”
The remove client does not have to have SELinux enabled or not. Lets step back to the beginning, what problem are you trying to solve?
SELinux is enforced at the client side, so it treats all files as nfs_t. If you are trying to share content on an NFS Server using apache, you have to turn on a couple of booleans depending on the OS you are running SELinux on.
My apache server is on the nfs client machine. That machine does not have enough disk space, so I was hoping to have it write to a filesystem mounted from another machine. The machine that I was trying to use as the nfs server has lots of disk space, but has to have SELinux disabled.
Moray. “To err is human; to purr, feline.”