selinux context disappear after nfs mount

Fabrizio Buratta extremoburo at gmail.com
Wed Oct 8 09:37:17 UTC 2008 

Hi everybody.

I'm trying to mount an nfs server ( a raid5 nas ) on my centos4.
Afterward i want
a script inside apache cgi-bin directory to be able to do any file and
dir operations.

Let's say i want a context capable of apache r/w operations on my
mount dir, then i execute:

mount -t nfs -o context=system_u:object_r:httpd_sys_script_rw_t
mynas:/external_dir /mnt/my_mount_dir

it does mount my external dir but if i execute ls -Z i see:

drwxrwxrwx  254      254                                       storage

Where's my context? obviously my script is not able to write on this
directory and selinux complains:

type=AVC msg=audit(1223458283.439:3794033): avc:  denied  { getattr }
for  pid=21669 comm="python" name="var" dev=dm-0 ino=261121
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
type=SYSCALL msg=audit(1223458283.439:3794033): arch=40000003
syscall=196 success=no exit=-13 a0=bfed2bd0 a1=bfed1f0c a2=3bfff4
a3=bfed2bd0 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1223458283.439:3794033):  path="/var"
type=CWD msg=audit(1223458283.439:3794033):  cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458283.439:3794033): name="/var" flags=0
inode=261121 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1223458286.050:3794034): avc:  denied  { search }
for  pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mnt_t tclass=dir
type=SYSCALL msg=audit(1223458286.050:3794034): arch=40000003
syscall=195 success=no exit=-13 a0=9294de8 a1=bfed2610 a2=3bfff4
a3=b7e5014c items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
type=CWD msg=audit(1223458286.050:3794034):  cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458286.050:3794034):
name="/mnt/storage/nightly/testfile" flags=1  inode=718081 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1223458286.051:3794035): avc:  denied  { search }
for  pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mnt_t tclass=dir
type=SYSCALL msg=audit(1223458286.051:3794035): arch=40000003
syscall=5 success=no exit=-13 a0=9294de8 a1=8241 a2=1b6 a3=8241
items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
type=CWD msg=audit(1223458286.051:3794035):  cwd="/var/www/cgi-bin"
type=PATH msg=audit(1223458286.051:3794035):
name="/mnt/storage/nightly/testfile" flags=310  inode=718081 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00

Of course i'm using a python script.
Until now i did not try to compile a local selinux policy   in order
to allow that kind of operations ( i would avoid it if possible )

Any suggestion?

Thanks,
Fab.

More information about the fedora-selinux-list mailing list