runcon Invalid argument

Daniel J Walsh dwalsh at redhat.com
Mon Apr 16 15:26:23 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 05:37 AM, Moray Henderson wrote:
> (sorry - my reply didn't get copied to the list)
> 
>> -----Original Message----- From: Daniel J Walsh
>> [mailto:dwalsh at redhat.com] Sent: 13 April 2012 17:52
>>> 
>>> I can do this:
>>> 
>>> [root at kojihub ~]# setenforce 0 [root at kojihub ~]# runcon 
>>> unconfined_u:system_r:httpd_t:s0 bash [root at kojihub ~]# setenforce 1 
>>> [root at kojihub ~]# id uid=0(root) gid=0(root) 
>>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
>>> context=unconfined_u:system_r:httpd_t:s0
> 
> (those lines should not have joined - 2 spaces at the beginning of each
> line are supposed to prevent an email client "helpfully" removing line
> breaks)
> 
>>> However, I think I have a problem.  My nfs server has to have SELinux 
>>> disabled for other reasons, so I can't set nfs_export_all_rw there.
>> It has
>>> to be on the nfs server, doesn't it?  Even if I set everything in the
>> tree
>>> I'm exporting to public_content_rw_t on the server and unmount and
>> remount
>>> the client filesystem everything still comes out as nfs_t.  Is that
>> because
>>> it's not getting the proper information from the nfs server?
>>> 
>>> Other than leaving my Koji server in permissive mode or using 
>>> httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
>> make
>>> this work?  If not, I'll have to rearrange some disk space.
>>> 
>>> 
>>> Moray. “To err is human; to purr, feline.”
>>> 
>>> 
>>> 
>>> 
>> The remove client does not have to have SELinux enabled or not. Lets step
>> back to the beginning, what problem are you trying to solve?
>> 
>> SELinux is enforced at the client side, so it treats all files as nfs_t.
>> If you are trying to share content on an NFS Server using apache, you
>> have to turn on a couple of booleans depending on the OS you are running 
>> SELinux on.
> 
> My apache server is on the nfs client machine.  That machine does not have
> enough disk space, so I was hoping to have it write to a filesystem mounted
> from another machine.  The machine that I was trying to use as the nfs
> server has lots of disk space, but has to have SELinux disabled.
> 
> 
> Moray. “To err is human; to purr, feline.”
> 
> 
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux


You do not need runcon. you need to mount the nfs share with a context mount
Something like

mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s0"
remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT

Or you can turn on the httpd_use_nfs boolean

setsebool -P httpd_use_nfs 1

If that boolean does not exist you could turn on.

setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+MOh8ACgkQrlYvE4MpobOaMQCghpYzzBhwzugsPsW+QKRJCgq3
vIgAnR9Grh40UUVgDwxSXEaw4rVaHPrB
=K2qt
-----END PGP SIGNATURE-----


More information about the selinux mailing list