selinux context disappear after nfs mount
Fabrizio Buratta
extremoburo at gmail.com
Thu Oct 9 13:06:29 UTC 2008
This is what i set :
local.te:
allow httpd_sys_script_t mnt_t:dir search;
allow httpd_sys_script_t var_t:dir getattr;
allow httpd_sys_script_t nfs_t:dir { search write add_name };
allow httpd_sys_script_t nfs_t:file { create unlink getattr append
read write setattr };
Fab.
2008/10/9 Fabrizio Buratta <extremoburo at gmail.com>:
>> You have two problems.
>>
>> #============= httpd_sys_script_t ==============
>> allow httpd_sys_script_t mnt_t:dir search;
>>
>> You need to load a custom policy to allow you cgi scripts to read
>> through the /mnt directory
>>
>> allow httpd_sys_script_t var_t:dir getattr;
>>
>> This one does not make sense this rule should be allowed in all default
>> policies? What policy are you running. Apache scripts should be able
>> to search/getattr on var_t in order to use /var/www/
>>
>> Neither of these avc's are much of a security risk to allow.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5
>> HX4An26oG117iKH1aqsETEWJw9CrfiUf
>> =cY7A
>> -----END PGP SIGNATURE-----
>>
>
> My policy version is 18,
>
> the package: 1.17.30-2.150.el4
>
> I will try with a custom policy thus,
>
> I'll tell you if i face further issues.
>
> Thanks a lot,
>
> Fab
>
More information about the selinux
mailing list