mounting nfs as httpd_sys_content_t under selinux

Stephen Smalley sds at tycho.nsa.gov
Mon Dec 10 14:34:14 UTC 2007 

On Sat, 2007-12-08 at 11:41 -0500, Johnny Tan wrote:
> I have a NFS mount that I want apache to be able to serve 
> files from.
> 
> According to this doc:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/ch45s02s03.html
> 
> I should be able to mount it with a context that will allow 
> apache to access it.
> 
> But when I try the suggested command:
> 
> [root at vm-37:~] mount -t nfs -o \
> context=system_u:object_r:httpd_sys_content_t \
> 192.168.1.100:/data/test /mnt/test

What kernel messages in /var/log/messages did you get when you ran this
command?

Did you already have a mount from the same server/filesystem when you
tried doing this?  If so, unmount those first and try again - context
mounts are limited to one per superblock.

> It *does* mount, but when I do:
> [root at vm-37:~]# ls -lZ /mnt
> drwxr-xr-x  65534 65534 system_u:object_r:nfs_t   test
> 
> It doesn't show the correct context.
> 
> (I don't know if it matters that I don't have a user with 
> UID 65534, only the remote NFS server has that.)
> 
> 
> And sure enough, apache still can't serve from it. I see 
> this in /var/log/messages:
> Dec  7 17:30:14 vm-37 kernel: audit(1197066614.787:240): 
> avc:  denied  { search } for  pid=18066 comm="httpd" name=
> "" dev=0:14 ino=4301717509 scontext=root:system_r:httpd_t:s0 
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
> Dec  7 17:30:14 vm-37 kernel: audit(1197066614.787:241): 
> avc:  denied  { getattr } for  pid=18066 comm="httpd" name
> ="" dev=0:14 ino=4301717509 
> scontext=root:system_r:httpd_t:s0 
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
> 
> When I "setenforce 0", it works. But I want SELinux.
> 
> 
> Granted, I could do:
> allow httpd_t nfs_t:dir { search getattr };
> 
> Well, actually, I haven't tried it but I'm guessing that 
> that will work. The problem is that I have other nfs 
> directories that I don't want httpd to access, even 
> accidentally if we ever point httpd at those directories.
> 
> So... any ideas on the nfs mount with the context option?
> 
> 
> I'm running CentOS-5.1 with latest updates of everything.
> 
> johnn
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list