runcon Invalid argument
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 16 15:26:23 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/16/2012 05:37 AM, Moray Henderson wrote:
> (sorry - my reply didn't get copied to the list)
>
>> -----Original Message----- From: Daniel J Walsh
>> [mailto:dwalsh at redhat.com] Sent: 13 April 2012 17:52
>>>
>>> I can do this:
>>>
>>> [root at kojihub ~]# setenforce 0 [root at kojihub ~]# runcon
>>> unconfined_u:system_r:httpd_t:s0 bash [root at kojihub ~]# setenforce 1
>>> [root at kojihub ~]# id uid=0(root) gid=0(root)
>>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>>> context=unconfined_u:system_r:httpd_t:s0
>
> (those lines should not have joined - 2 spaces at the beginning of each
> line are supposed to prevent an email client "helpfully" removing line
> breaks)
>
>>> However, I think I have a problem. My nfs server has to have SELinux
>>> disabled for other reasons, so I can't set nfs_export_all_rw there.
>> It has
>>> to be on the nfs server, doesn't it? Even if I set everything in the
>> tree
>>> I'm exporting to public_content_rw_t on the server and unmount and
>> remount
>>> the client filesystem everything still comes out as nfs_t. Is that
>> because
>>> it's not getting the proper information from the nfs server?
>>>
>>> Other than leaving my Koji server in permissive mode or using
>>> httpd_disable_trans=1 (if that works on CentOS 6), is there a way to
>> make
>>> this work? If not, I'll have to rearrange some disk space.
>>>
>>>
>>> Moray. “To err is human; to purr, feline.”
>>>
>>>
>>>
>>>
>> The remove client does not have to have SELinux enabled or not. Lets step
>> back to the beginning, what problem are you trying to solve?
>>
>> SELinux is enforced at the client side, so it treats all files as nfs_t.
>> If you are trying to share content on an NFS Server using apache, you
>> have to turn on a couple of booleans depending on the OS you are running
>> SELinux on.
>
> My apache server is on the nfs client machine. That machine does not have
> enough disk space, so I was hoping to have it write to a filesystem mounted
> from another machine. The machine that I was trying to use as the nfs
> server has lots of disk space, but has to have SELinux disabled.
>
>
> Moray. “To err is human; to purr, feline.”
>
>
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
You do not need runcon. you need to mount the nfs share with a context mount
Something like
mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s0"
remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT
Or you can turn on the httpd_use_nfs boolean
setsebool -P httpd_use_nfs 1
If that boolean does not exist you could turn on.
setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+MOh8ACgkQrlYvE4MpobOaMQCghpYzzBhwzugsPsW+QKRJCgq3
vIgAnR9Grh40UUVgDwxSXEaw4rVaHPrB
=K2qt
-----END PGP SIGNATURE-----
More information about the selinux
mailing list