(sorry - my reply didn't get copied to the list)
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: 13 April 2012 17:52
I can do this:
[root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce 1 [root@kojihub ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:system_r:httpd_t:s0
(those lines should not have joined - 2 spaces at the beginning of each line are supposed to prevent an email client "helpfully" removing line breaks)
However, I think I have a problem. My nfs server has to have SELinux disabled for other reasons, so I can't set nfs_export_all_rw there.
It has
to be on the nfs server, doesn't it? Even if I set everything in the
tree
I'm exporting to public_content_rw_t on the server and unmount and
remount
the client filesystem everything still comes out as nfs_t. Is that
because
it's not getting the proper information from the nfs server?
Other than leaving my Koji server in permissive mode or using httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
make
this work? If not, I'll have to rearrange some disk space.
Moray. “To err is human; to purr, feline.”
The remove client does not have to have SELinux enabled or not. Lets step back to the beginning, what problem are you trying to solve?
SELinux is enforced at the client side, so it treats all files as nfs_t. If you are trying to share content on an NFS Server using apache, you have to turn on a couple of booleans depending on the OS you are running SELinux on.
My apache server is on the nfs client machine. That machine does not have enough disk space, so I was hoping to have it write to a filesystem mounted from another machine. The machine that I was trying to use as the nfs server has lots of disk space, but has to have SELinux disabled.
Moray. “To err is human; to purr, feline.”
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/16/2012 05:37 AM, Moray Henderson wrote:
(sorry - my reply didn't get copied to the list)
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: 13 April 2012 17:52
I can do this:
[root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce 1 [root@kojihub ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:system_r:httpd_t:s0
(those lines should not have joined - 2 spaces at the beginning of each line are supposed to prevent an email client "helpfully" removing line breaks)
However, I think I have a problem. My nfs server has to have SELinux disabled for other reasons, so I can't set nfs_export_all_rw there.
It has
to be on the nfs server, doesn't it? Even if I set everything in the
tree
I'm exporting to public_content_rw_t on the server and unmount and
remount
the client filesystem everything still comes out as nfs_t. Is that
because
it's not getting the proper information from the nfs server?
Other than leaving my Koji server in permissive mode or using httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
make
this work? If not, I'll have to rearrange some disk space.
Moray. “To err is human; to purr, feline.”
The remove client does not have to have SELinux enabled or not. Lets step back to the beginning, what problem are you trying to solve?
SELinux is enforced at the client side, so it treats all files as nfs_t. If you are trying to share content on an NFS Server using apache, you have to turn on a couple of booleans depending on the OS you are running SELinux on.
My apache server is on the nfs client machine. That machine does not have enough disk space, so I was hoping to have it write to a filesystem mounted from another machine. The machine that I was trying to use as the nfs server has lots of disk space, but has to have SELinux disabled.
Moray. “To err is human; to purr, feline.”
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You do not need runcon. you need to mount the nfs share with a context mount Something like
mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s0" remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT
Or you can turn on the httpd_use_nfs boolean
setsebool -P httpd_use_nfs 1
If that boolean does not exist you could turn on.
setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1
From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: 16 April 2012 16:26
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/16/2012 05:37 AM, Moray Henderson wrote:
(sorry - my reply didn't get copied to the list)
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: 13 April 2012 17:52
I can do this:
[root@kojihub ~]# setenforce 0 [root@kojihub ~]# runcon unconfined_u:system_r:httpd_t:s0 bash [root@kojihub ~]# setenforce
1
[root@kojihub ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:system_r:httpd_t:s0
(those lines should not have joined - 2 spaces at the beginning of
each
line are supposed to prevent an email client "helpfully" removing
line
breaks)
However, I think I have a problem. My nfs server has to have
SELinux
disabled for other reasons, so I can't set nfs_export_all_rw there.
It has
to be on the nfs server, doesn't it? Even if I set everything in
the
tree
I'm exporting to public_content_rw_t on the server and unmount and
remount
the client filesystem everything still comes out as nfs_t. Is that
because
it's not getting the proper information from the nfs server?
Other than leaving my Koji server in permissive mode or using httpd_disable_trans=1 (if that works on CentOS 6), is there a way
to
make
this work? If not, I'll have to rearrange some disk space.
Moray. “To err is human; to purr, feline.”
The remove client does not have to have SELinux enabled or not. Lets
step
back to the beginning, what problem are you trying to solve?
SELinux is enforced at the client side, so it treats all files as
nfs_t.
If you are trying to share content on an NFS Server using apache,
you
have to turn on a couple of booleans depending on the OS you are
running
SELinux on.
My apache server is on the nfs client machine. That machine does not
have
enough disk space, so I was hoping to have it write to a filesystem
mounted
from another machine. The machine that I was trying to use as the
nfs
server has lots of disk space, but has to have SELinux disabled.
Moray. “To err is human; to purr, feline.”
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You do not need runcon. you need to mount the nfs share with a context mount Something like
mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s0" remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT
Or you can turn on the httpd_use_nfs boolean
setsebool -P httpd_use_nfs 1
If that boolean does not exist you could turn on.
setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1
Ah, THAT's how it's done! Thank you. (I was relying on CentOS 5 man pages, which don't mention httpd_use_nfs.)
Moray. “To err is human; to purr, feline.”
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Moray Henderson