Hi,
I am using selinux under Fedora 10 (2.6.27.37). I have Apache httpd running, and I would like it to be able to serve requests for files which are on a mounted NTFS volume.
I have tried to mount the volume with an appropriate context: mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/somedevice /mnt/somemountpoint
But the resulting context on files within the mount is still: system_u:object_r:fusefs_t:s0 The mount itself doesn't generate any noteworthy warnings/errors in my logs. So of course seliux disallows apache to read the files and generates corresponding denials in my logs. No other partition on this device is already mounted.
Is this a known bug? Others seem to have similar issues: http://old.nabble.com/mounting-nfs-as-httpd_sys_content_t-under-selinux-td14...
http://forums.fedoraforum.org/archive/index.php/t-246937.html http://old.nabble.com/SELinux-enforcing,-an-external-ntfs-3g-mount,-Samba-an...
I guess an alternative is to create a policy that tells selinux to allow httpd to read fuse files, as is described here: https://bugzilla.redhat.com/show_bug.cgi?id=631616#c2
Any ideas?
Thanks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/09/2010 07:46 AM, Chris Lopes wrote:
Hi,
I am using selinux under Fedora 10 (2.6.27.37). I have Apache httpd running, and I would like it to be able to serve requests for files which are on a mounted NTFS volume.
First off, please update to a Fedora Release that is supported F12, F13, F14.
I have tried to mount the volume with an appropriate context: mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/somedevice /mnt/somemountpoint
But the resulting context on files within the mount is still: system_u:object_r:fusefs_t:s0
Open a bug on this, again on an OS that is supported.
I would just add allow rules using audit2allow for now.
# grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp
The mount itself doesn't generate any noteworthy warnings/errors in my logs. So of course seliux disallows apache to read the files and generates corresponding denials in my logs. No other partition on this device is already mounted.
Is this a known bug? Others seem to have similar issues: http://old.nabble.com/mounting-nfs-as-httpd_sys_content_t-under-selinux-td14...
http://forums.fedoraforum.org/archive/index.php/t-246937.html http://old.nabble.com/SELinux-enforcing,-an-external-ntfs-3g-mount,-Samba-an...
I guess an alternative is to create a policy that tells selinux to allow httpd to read fuse files, as is described here: https://bugzilla.redhat.com/show_bug.cgi?id=631616#c2
Any ideas?
Thanks
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I am not able to update to a supported release at this time.
I will try audit2allow, as you have suggested
----- Original Message ---- From: Daniel J Walsh dwalsh@redhat.com To: Chris Lopes clopes@yahoo.com Cc: selinux@lists.fedoraproject.org Sent: Thu, September 9, 2010 7:01:37 PM Subject: Re: Giving httpd access to a mounted NTFS volume
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/09/2010 07:46 AM, Chris Lopes wrote:
Hi,
I am using selinux under Fedora 10 (2.6.27.37). I have Apache httpd running, and I would like it to be able to serve requests for files which are on a mounted NTFS volume.
First off, please update to a Fedora Release that is supported F12, F13, F14.
I have tried to mount the volume with an appropriate context: mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/somedevice /mnt/somemountpoint
But the resulting context on files within the mount is still: system_u:object_r:fusefs_t:s0
Open a bug on this, again on an OS that is supported.
I would just add allow rules using audit2allow for now.
# grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp
The mount itself doesn't generate any noteworthy warnings/errors in my logs. So of course seliux disallows apache to read the files and generates corresponding denials in my logs. No other partition on this device is already mounted.
Is this a known bug? Others seem to have similar issues: http://old.nabble.com/mounting-nfs-as-httpd_sys_content_t-under-selinux-td14... l
http://forums.fedoraforum.org/archive/index.php/t-246937.html http://old.nabble.com/SELinux-enforcing,-an-external-ntfs-3g-mount,-Samba-an... l
I guess an alternative is to create a policy that tells selinux to allow httpd
to read fuse files, as is described here: https://bugzilla.redhat.com/show_bug.cgi?id=631616#c2
Any ideas?
Thanks
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
From: Chris Lopes clopes@yahoo.com Subject: Giving httpd access to a mounted NTFS volume To: selinux@lists.fedoraproject.org Date: Thursday, September 9, 2010, 2:46 PM Hi,
I am using selinux under Fedora 10 (2.6.27.37). I have Apache httpd running, and I would like it to be able to serve requests for files which are on a mounted NTFS volume.
I have tried to mount the volume with an appropriate context: mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/somedevice /mnt/somemountpoint
But the resulting context on files within the mount is still: system_u:object_r:fusefs_t:s0 The mount itself doesn't generate any noteworthy warnings/errors in my logs. So of course seliux disallows apache to read the files and generates corresponding denials in my logs. No other partition on this device is already mounted.
Is this a known bug?
https://bugzilla.redhat.com/show_bug.cgi?id=502946
Cheers, Cristian
Great, thanks for the confirmation. The audit2allow way works fine.
----- Original Message ---- From: Cristian Ciupitu cristian.ciupitu@yahoo.com To: selinux@lists.fedoraproject.org; Chris Lopes clopes@yahoo.com Sent: Thu, September 9, 2010 7:27:12 PM Subject: Re: Giving httpd access to a mounted NTFS volume
From: Chris Lopes clopes@yahoo.com Subject: Giving httpd access to a mounted NTFS volume To: selinux@lists.fedoraproject.org Date: Thursday, September 9, 2010, 2:46 PM Hi,
I am using selinux under Fedora 10 (2.6.27.37). I have Apache httpd running, and I would like it to be able to serve requests for files which are on a mounted NTFS volume.
I have tried to mount the volume with an appropriate context: mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/somedevice /mnt/somemountpoint
But the resulting context on files within the mount is still: system_u:object_r:fusefs_t:s0 The mount itself doesn't generate any noteworthy warnings/errors in my logs. So of course seliux disallows apache to read the files and generates corresponding denials in my logs. No other partition on this device is already mounted.
Is this a known bug?
https://bugzilla.redhat.com/show_bug.cgi?id=502946
Cheers, Cristian
selinux@lists.fedoraproject.org