On Sun, 2005-09-04 at 11:10 -0700, Ben wrote:
I'm trying to use NFS to make a bunch of images available for
apache.
SELinux on the apache server seems to be getting in the way, and this
time I think it really is SELinux, because apache can serve the
images just fine when I'm not enforcing. When I turn on enforcing, I
get permission denied messages.
Unfortunately, there are no avc messages being generated, even when I
follow the steps listed out here:
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2827008
Just in case you don't know it already, in FC4, audit messages are now
directed to a separate audit daemon (auditd) and logged
to /var/log/audit/audit.log rather than being handled by klogd/syslogd
and going to /var/log/messages. So you need to look in audit.log for
any denials.
I suspect the issue might have something to do with there being no
SELinux attributes on the files in my image directory.... but without
any avc messages, it's hard to tell.
Interestingly, even when I am enforcing, I can copy and read the
files.... just not with apache.
Yes, that would make sense, as user sessions are unrestricted by the
targeted policy (they are in unconfined_t, e.g. see the output of id
-Z). Targeted policy only tries to control specific daemons.
This may be affected by one of the policy booleans,
e.g. /usr/sbin/getsebool -a | grep httpd and /usr/sbin/getsebool -a |
grep nfs.
Other resources:
man httpd_selinux
man nfs_selinux
--
Stephen Smalley
National Security Agency