On Wed, Oct 06, 2010 at 06:26:01PM -0400, m.roth(a)5-cent.us wrote:
Can someone give me a pointer as to where I need to start? On the
server
the directory is physically on, I've set a bunch of cgi scripts to
httpd_sys_script_exec_t, and restarted nfs. Then I did the same on the
server mounting that directory... and the scripts show as nfs_t. getsebool
-a | grep nfs shows
allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
httpd_use_nfs --> on
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_disable_trans --> off
qemu_use_nfs --> on
samba_share_nfs --> off
use_nfs_home_dirs --> on
virt_use_nfs --> off
So, what do I need to do to get rid of the AVCs (yeah, we're in permissive
mode)?
This is what sesearch tells me:
$ sesearch --allow -SC -s httpd_t -t nfs_t -c file -p execute
Found 1 semantic av rules:
DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi
httpd_use_nfs && ]
$ sesearch --allow -SC -s httpd_t -t httpd_sys_script_t | grep nfs
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi
httpd_use_nfs && ]
When booleans httpd_enable_cgi and httpd_use_nfs are both set to true, then httpd_t will
transition to httpd_sys_script_t when it executes an entry_file with type nfs_t:
httpd_t(apache) -> nfs_t(type of cgi script on nfs) -> httpd_sys_script_t(type of
nfs cgi script process)
mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux