• 1

Now you can take the pins out of the voodoo doll of me.
Not gonna happen.


I noticed my back was hurting.

Ouch

selinux with httpd and cifs_t

Hello,

First of all, thanks for great articles on your website.
I've got couple selinux installation, but one of them i've notice strange behaviour.
In my environment i've httpd, which serves files from mounted cifs directory and it seems to work, but in this directory my web application must be able to create dir/file. When new dir is created, i'm going upload files in it, but it's impossible. Result of this action is:
# audit2allow -i /var/log/audit/audit.log

#============= httpd_t ==============
allow httpd_t cifs_t:file 0x100000;

i'm not able to create module from this avc:

only letters and numbers allowed in module names

details:

rhel 5
selinux-policy-targeted-2.4.6-300.el5

dir mounted with:
/mount -t cifs //10.1.1.2/share /var/www/html/share -o credentials=

httpd_use_cifs --> on

best regards
witalis
http://blog.witalis.net

Re: selinux with httpd and cifs_t

I guess it worked on the remount, not sure why this happened. You could also try the mount with httpd_sys_rw_content_t;

mount -t cifs //10.1.1.2/share /var/www/html/share -o context="system_u:object_r:httpd_sys_rw_content_t:s0",credentials=

Re: selinux with httpd and cifs_t

I try to mount with diffrent httpd contexts, but every time my webapp create new folder I can't upload files in it, so I have to remount over and over, finally i turn on permissive mode.

Re: selinux with httpd and cifs_t

Can you open a bugzilla on this and attach the avc messages you are seeing. It might be a problem with the way the kernel is handling cifs_t.


errata

when i remount this dir, upload files is possible

Wonder if this is a typo?

This command tells the SELinux kernel to treat all content in this file system as httpd_sys_content_t. httpd_t will **not**? be allowed to access this content but not access the other NFS file systems mounted on the system.


Thanks, I fixed it. This is why I need an editor. :^)

httpd_t will be allowed to access the content mounted as httpd_sys_content_t, but httpd_t will still be denied access to other NFS file systems mounted on the system.

  • 1
?

Log in