Giving httpd access to a mounted NTFS volume

Chris Lopes clopes at yahoo.com
Thu Sep 9 12:08:22 UTC 2010 

I am not able to update to a supported release at this time.

I will try audit2allow, as you have suggested


----- Original Message ----
From: Daniel J Walsh <dwalsh at redhat.com>
To: Chris Lopes <clopes at yahoo.com>
Cc: selinux at lists.fedoraproject.org
Sent: Thu, September 9, 2010 7:01:37 PM
Subject: Re: Giving httpd access to a mounted NTFS volume

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2010 07:46 AM, Chris Lopes wrote:
> Hi,
> 
> I am using selinux under Fedora 10 (2.6.27.37).
> I have Apache httpd running, and I would like it to be able to serve requests 
> for files which are on a mounted NTFS volume.
> 
First off, please update to a Fedora Release that is supported F12, F13,
F14.


> I have tried to mount the volume with an appropriate context:
> mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/somedevice 
> /mnt/somemountpoint
> 
> But the resulting context on files within the mount is 
> still: system_u:object_r:fusefs_t:s0
Open a bug on this, again on an OS that is supported.

I would just add allow rules using audit2allow for now.

# grep http /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

> The mount itself doesn't generate any noteworthy warnings/errors in my logs.
> So of course seliux disallows apache to read the files and generates 
> corresponding denials in my logs.
> No other partition on this device is already mounted.
> 
> Is this a known bug?
> Others seem to have similar issues:
>http://old.nabble.com/mounting-nfs-as-httpd_sys_content_t-under-selinux-td14230083.html
>l
> 
> http://forums.fedoraforum.org/archive/index.php/t-246937.html
>http://old.nabble.com/SELinux-enforcing,-an-external-ntfs-3g-mount,-Samba-and-Fedora-8-td14356238.html
>l
> 
> 
> I guess an alternative is to create a policy that tells selinux to allow httpd 

> to read fuse files, as is described here:
> https://bugzilla.redhat.com/show_bug.cgi?id=631616#c2
> 
> Any ideas?
> 
> Thanks
> 
> 
>      
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyIzKEACgkQrlYvE4MpobM3XwCfaRvhpwGXloNJ5WHU59HVb3sO
1WUAoIFK6U7TAFcc8EY4UI0yJFlib/zW
=G6S8
-----END PGP SIGNATURE-----

More information about the selinux mailing list