cgi over nfs
Dominick Grift
domg472 at gmail.com
Thu Oct 7 08:53:24 UTC 2010
On Wed, Oct 06, 2010 at 06:26:01PM -0400, m.roth at 5-cent.us wrote:
> Can someone give me a pointer as to where I need to start? On the server
> the directory is physically on, I've set a bunch of cgi scripts to
> httpd_sys_script_exec_t, and restarted nfs. Then I did the same on the
> server mounting that directory... and the scripts show as nfs_t. getsebool
> -a | grep nfs shows
> allow_ftpd_use_nfs --> off
> allow_nfsd_anon_write --> off
> httpd_use_nfs --> on
> nfs_export_all_ro --> on
> nfs_export_all_rw --> on
> nfsd_disable_trans --> off
> qemu_use_nfs --> on
> samba_share_nfs --> off
> use_nfs_home_dirs --> on
> virt_use_nfs --> off
>
> So, what do I need to do to get rid of the AVCs (yeah, we're in permissive
> mode)?
This is what sesearch tells me:
$ sesearch --allow -SC -s httpd_t -t nfs_t -c file -p execute
Found 1 semantic av rules:
DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ]
$ sesearch --allow -SC -s httpd_t -t httpd_sys_script_t | grep nfs
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_nfs && ]
When booleans httpd_enable_cgi and httpd_use_nfs are both set to true, then httpd_t will transition to httpd_sys_script_t when it executes an entry_file with type nfs_t:
httpd_t(apache) -> nfs_t(type of cgi script on nfs) -> httpd_sys_script_t(type of nfs cgi script process)
>
> mark
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20101007/46fb05dc/attachment.bin
More information about the selinux
mailing list