[Fwd: Unable to create files when using "context"option for NFS]

From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: SELinux <SELinux@tycho.nsa.gov>
Subject: [Fwd: Unable to create files when using "context"option for NFS]
Date: Wed, 08 Jun 2005 10:48:56 -0400	[thread overview]
Message-ID: <42A70558.5030609@redhat.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 299 bytes --]

What is the best way to handle this? 

If I add a rule

allow file_type self:filesystem associate;

Will that cause and explosion in rules?  Will this open a security risk?

We tell people to use the mount -o context flags but policy can not 
handle most of them without the above rule.

Dan

-- 

[-- Attachment #2: Unable to create files when using "context"option for NFS --]
[-- Type: message/rfc822, Size: 5646 bytes --]

From: Robert Bottomley <bob@mail.cert.ucr.edu>
To: fedora-selinux-list@redhat.com
Subject: Unable to create files when using "context"option for NFS
Date: Wed, 01 Jun 2005 14:43:44 -0700
Message-ID: <429E2C10.7060501@cert.ucr.edu>

In FC3 (running kernel 2.6.11-1.27_FC3smp and 
selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use 
by Apache. In /etc/fstab, I have:

ozone:/usr/local/svn /svn nfs 
rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 
0 0

Any attempts to create a file in /svn are met with (here I was attempting a 
"touch x"):

audit(1117233333.027:0): avc: denied { associate } for pid=12795 
exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t 
tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem

It does not matter what context I specify, I cannot create a file -- even 
though my shell is running as unconfined_t. (If a file already exists, I can 
edit it.)

So the questions are:

1. Is this a bug? Should I not be able to create a file when running in the 
unconfined_t context?

2. Audit2allow tells me that I need to add:

allow httpd_sys_script_rw_t self:filesystem associate;

but if unconfined_t context cannot write, then will something in 
httpd_sys_script_rw_t be able to?

sestatus
========

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           inactive
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

-- 
Robert Bottomley         | E-mail: bob@cert.ucr.edu
System Administrator     | Tel: 951-781-5788
College of Engineering   |                 It is dangerous to be right
Center for Environmental | CE-CERT         when the government is wrong.
Research and Technology  | UC Riverside                       --Voltaire

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list