In FC3 (running kernel 2.6.11-1.27_FC3smp and selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use by Apache. In /etc/fstab, I have:
ozone:/usr/local/svn /svn nfs rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 0 0
Any attempts to create a file in /svn are met with (here I was attempting a "touch x"):
audit(1117233333.027:0): avc: denied { associate } for pid=12795 exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
It does not matter what context I specify, I cannot create a file -- even though my shell is running as unconfined_t. (If a file already exists, I can edit it.)
So the questions are:
1. Is this a bug? Should I not be able to create a file when running in the unconfined_t context?
2. Audit2allow tells me that I need to add:
allow httpd_sys_script_rw_t self:filesystem associate;
but if unconfined_t context cannot write, then will something in httpd_sys_script_rw_t be able to?
sestatus ========
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted
Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified inactive mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslogng inactive winbind_disable_trans inactive ypbind_disable_trans inactive
Robert Bottomley wrote:
In FC3 (running kernel 2.6.11-1.27_FC3smp and selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use by Apache. In /etc/fstab, I have:
ozone:/usr/local/svn /svn nfs rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 0 0
Any attempts to create a file in /svn are met with (here I was attempting a "touch x"):
We don't have a good solution for this.
audit(1117233333.027:0): avc: denied { associate } for pid=12795 exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
It does not matter what context I specify, I cannot create a file -- even though my shell is running as unconfined_t. (If a file already exists, I can edit it.)
So the questions are:
- Is this a bug? Should I not be able to create a file when running
in the unconfined_t context?
- Audit2allow tells me that I need to add:
"
You can install policy sources (selinux-policy-targeted-sources)
cd /etc/selinux/targeted/src/policy echo "allow httpd_sys_script_rw_t self:filesystem associate;" >> domains/misc/local.te make load
And try it out. It should work. The problem for us is how to generalize this solution.
Dan
but if unconfined_t context cannot write, then will something in httpd_sys_script_rw_t be able to?
sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted
Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified inactive mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslogng inactive winbind_disable_trans inactive ypbind_disable_trans inactive
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Robert Bottomley