runcon Invalid argument

Moray Henderson Moray.Henderson at ict-software.org
Mon Apr 16 16:09:00 UTC 2012


> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
> Sent: 16 April 2012 16:26
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 04/16/2012 05:37 AM, Moray Henderson wrote:
> > (sorry - my reply didn't get copied to the list)
> >
> >> -----Original Message----- From: Daniel J Walsh
> >> [mailto:dwalsh at redhat.com] Sent: 13 April 2012 17:52
> >>>
> >>> I can do this:
> >>>
> >>> [root at kojihub ~]# setenforce 0 [root at kojihub ~]# runcon
> >>> unconfined_u:system_r:httpd_t:s0 bash [root at kojihub ~]# setenforce
> 1
> >>> [root at kojihub ~]# id uid=0(root) gid=0(root)
> >>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> >>> context=unconfined_u:system_r:httpd_t:s0
> >
> > (those lines should not have joined - 2 spaces at the beginning of
> each
> > line are supposed to prevent an email client "helpfully" removing
> line
> > breaks)
> >
> >>> However, I think I have a problem.  My nfs server has to have
> SELinux
> >>> disabled for other reasons, so I can't set nfs_export_all_rw there.
> >> It has
> >>> to be on the nfs server, doesn't it?  Even if I set everything in
> the
> >> tree
> >>> I'm exporting to public_content_rw_t on the server and unmount and
> >> remount
> >>> the client filesystem everything still comes out as nfs_t.  Is that
> >> because
> >>> it's not getting the proper information from the nfs server?
> >>>
> >>> Other than leaving my Koji server in permissive mode or using
> >>> httpd_disable_trans=1 (if that works on CentOS 6), is there a way
> to
> >> make
> >>> this work?  If not, I'll have to rearrange some disk space.
> >>>
> >>>
> >>> Moray. “To err is human; to purr, feline.”
> >>>
> >>>
> >>>
> >>>
> >> The remove client does not have to have SELinux enabled or not. Lets
> step
> >> back to the beginning, what problem are you trying to solve?
> >>
> >> SELinux is enforced at the client side, so it treats all files as
> nfs_t.
> >> If you are trying to share content on an NFS Server using apache,
> you
> >> have to turn on a couple of booleans depending on the OS you are
> running
> >> SELinux on.
> >
> > My apache server is on the nfs client machine.  That machine does not
> have
> > enough disk space, so I was hoping to have it write to a filesystem
> mounted
> > from another machine.  The machine that I was trying to use as the
> nfs
> > server has lots of disk space, but has to have SELinux disabled.
> >
> >
> > Moray. “To err is human; to purr, feline.”
> >
> >
> >
> >
> >
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> You do not need runcon. you need to mount the nfs share with a context
> mount
> Something like
> 
> mount -t nfs -o context="system_:object_r:httpd_sys_content_rw_t:s0"
> remotenfs:/MOUNTPOINT /LOCALMOUNTPOINT
> 
> Or you can turn on the httpd_use_nfs boolean
> 
> setsebool -P httpd_use_nfs 1
> 
> If that boolean does not exist you could turn on.
> 
> setsebool -P use_nfs_home_dirs=1 httpd_enable_homedirs=1

Ah, THAT's how it's done!  Thank you.  (I was relying on CentOS 5 man pages, which don't mention httpd_use_nfs.)


Moray.
“To err is human; to purr, feline.”







More information about the selinux mailing list