On Thu, February 16, 2012 07:35, Lars Hecking wrote:
Apache DocumentRoot on an NFS directory:
[root@localhost ~]# service httpd start Starting httpd: Warning: DocumentRoot [/home/www/html] does not exist Syntax error on line 292 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a directory [FAILED] [root@localhost ~]#
After some research, I found this (dated) link
http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html
and followed the suggestion, setsebool -P use_nfs_home_dirs=1. But I still can't start httpd. Not sure what to make of the audit log:
type=AVC msg=audit(1329395502.678:61926): avc: denied { search } for pid=25674 comm="httpd" name="" dev=0:23 ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1329395502.678:61926): arch=c000003e syscall=4 success=no exit=-13 a0=7fef342bc080 a1=7fffaf747370 a2=7fffaf747370 a3=7fef30c65c30 items=0 ppid=25673 pid=25674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1329395502.681:61927): avc: denied { search } for pid=25674 comm="httpd" name="" dev=0:23 ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1329395502.681:61927): arch=c000003e syscall=4 success=no exit=-13 a0=7fef342eae68 a1=7fffaf747630 a2=7fffaf747630 a3=50 items=0 ppid=25673 pid=25674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Try this:
yum install policycoreutils-python setroubleshoot-server
Now use the audit2allow and semanage utilities to tell you what SEbooleans to set or what to include in a custom policy. Information from 2010 is out of date for SELinux on CentOS-6, assuming that you are in fact running the latest version, much less stuff from 2005.
HTH
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/16/2012 12:13 PM, James B. Byrne wrote:
On Thu, February 16, 2012 07:35, Lars Hecking wrote:
Apache DocumentRoot on an NFS directory:
[root@localhost ~]# service httpd start Starting httpd: Warning: DocumentRoot [/home/www/html] does not exist Syntax error on line 292 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a directory [FAILED] [root@localhost ~]#
After some research, I found this (dated) link
http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html
and followed the suggestion, setsebool -P use_nfs_home_dirs=1. But I still can't start httpd. Not sure what to make of the audit log:
type=AVC msg=audit(1329395502.678:61926): avc: denied { search } for pid=25674 comm="httpd" name="" dev=0:23 ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1329395502.678:61926): arch=c000003e syscall=4 success=no exit=-13 a0=7fef342bc080 a1=7fffaf747370 a2=7fffaf747370 a3=7fef30c65c30 items=0 ppid=25673 pid=25674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1329395502.681:61927): avc: denied { search } for pid=25674 comm="httpd" name="" dev=0:23 ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1329395502.681:61927): arch=c000003e syscall=4 success=no exit=-13 a0=7fef342eae68 a1=7fffaf747630 a2=7fffaf747630 a3=50 items=0 ppid=25673 pid=25674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Try this:
yum install policycoreutils-python setroubleshoot-server
Now use the audit2allow and semanage utilities to tell you what SEbooleans to set or what to include in a custom policy. Information from 2010 is out of date for SELinux on CentOS-6, assuming that you are in fact running the latest version, much less stuff from 2005.
HTH
Actually the combination of two booleans would have also allowed this access.
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_list_auto_mountpoints(httpd_t) fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ')
But if you are not allowing apache to look in users homedirs, httpd_use_nfs is more secure.
On Thu, Feb 16, 2012 at 11:13 AM, James B. Byrne byrnejb@harte-lyne.cawrote:
Information from 2010 is out of date for SELinux on CentOS-6,
I thought the whole point of enterprise distributions was to not have behavior changes for a major version release, which would, in fact have been in 2010 for the upstream copy.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/16/2012 12:52 PM, Les Mikesell wrote:
On Thu, Feb 16, 2012 at 11:13 AM, James B. Byrne byrnejb@harte-lyne.cawrote:
Information from 2010 is out of date for SELinux on CentOS-6,
I thought the whole point of enterprise distributions was to not have behavior changes for a major version release, which would, in fact have been in 2010 for the upstream copy.
The data from 2010 is still current, but you need to change both booleans.
-
Daniel J Walsh -
James B. Byrne -
Les Mikesell