Unable to create files when using "context"option for NFS

Daniel J Walsh dwalsh at redhat.com
Wed Jun 8 14:46:56 UTC 2005 

Robert Bottomley wrote:

> In FC3 (running kernel 2.6.11-1.27_FC3smp and 
> selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem 
> for use by Apache. In /etc/fstab, I have:
>
> ozone:/usr/local/svn /svn nfs 
> rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 
> 0 0
>
> Any attempts to create a file in /svn are met with (here I was 
> attempting a "touch x"):
>
We don't have a good solution for this.


> audit(1117233333.027:0): avc: denied { associate } for pid=12795 
> exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t 
> tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
>
> It does not matter what context I specify, I cannot create a file -- 
> even though my shell is running as unconfined_t. (If a file already 
> exists, I can edit it.)
>
> So the questions are:
>
> 1. Is this a bug? Should I not be able to create a file when running 
> in the unconfined_t context?
>
> 2. Audit2allow tells me that I need to add:
> "
>
You can install policy sources (selinux-policy-targeted-sources)

cd /etc/selinux/targeted/src/policy
echo "allow httpd_sys_script_rw_t self:filesystem associate;" >> 
domains/misc/local.te
make load

And try it out.  It should work.  The problem for us is how to 
generalize this solution.

Dan

> but if unconfined_t context cannot write, then will something in 
> httpd_sys_script_rw_t be able to?
>
> sestatus
> ========
>
> SELinux status:         enabled
> SELinuxfs mount:        /selinux
> Current mode:           enforcing
> Mode from config file:  enforcing
> Policy version:         18
> Policy from config file:targeted
>
> Policy booleans:
> allow_ypbind            active
> dhcpd_disable_trans     inactive
> httpd_disable_trans     inactive
> httpd_enable_cgi        active
> httpd_enable_homedirs   active
> httpd_ssi_exec          active
> httpd_tty_comm          inactive
> httpd_unified           inactive
> mysqld_disable_trans    inactive
> named_disable_trans     inactive
> named_write_master_zonesinactive
> nscd_disable_trans      inactive
> ntpd_disable_trans      inactive
> portmap_disable_trans   inactive
> postgresql_disable_transinactive
> snmpd_disable_trans     inactive
> squid_disable_trans     inactive
> syslogd_disable_trans   inactive
> use_nfs_home_dirs       inactive
> use_samba_home_dirs     inactive
> use_syslogng            inactive
> winbind_disable_trans   inactive
> ypbind_disable_trans    inactive
>


--

More information about the fedora-selinux-list mailing list