[CentOS] Baffled by selinux

Thu Feb 16 17:22:46 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/16/2012 12:13 PM, James B. Byrne wrote:
> 
> On Thu, February 16, 2012 07:35, Lars Hecking wrote:
>> 
>> Apache DocumentRoot on an NFS directory:
>> 
>> [root at localhost ~]# service httpd start Starting httpd: Warning:
>> DocumentRoot [/home/www/html] does not exist Syntax error on line
>> 292 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a
>> directory [FAILED] [root at localhost ~]#
>> 
>> After some research, I found this (dated) link
>> 
>> http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html
>> 
>> and followed the suggestion, setsebool -P use_nfs_home_dirs=1.
>> But I still can't start httpd. Not sure what to make of the
>> audit log:
>> 
>> type=AVC msg=audit(1329395502.678:61926): avc:  denied  { search
>> } for  pid=25674 comm="httpd" name="" dev=0:23 ino=3471615
>> scontext=unconfined_u:system_r:httpd_t:s0 
>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL
>> msg=audit(1329395502.678:61926): arch=c000003e syscall=4
>> success=no exit=-13 a0=7fef342bc080 a1=7fffaf747370
>> a2=7fffaf747370 a3=7fef30c65c30 items=0 ppid=25673 pid=25674
>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>> tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" 
>> subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC
>> msg=audit(1329395502.681:61927): avc:  denied  { search } for
>> pid=25674 comm="httpd" name="" dev=0:23 ino=3471615
>> scontext=unconfined_u:system_r:httpd_t:s0 
>> tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL
>> msg=audit(1329395502.681:61927): arch=c000003e syscall=4
>> success=no exit=-13 a0=7fef342eae68 a1=7fffaf747630
>> a2=7fffaf747630 a3=50 items=0 ppid=25673 pid=25674 auid=0 uid=0
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 
>> comm="httpd" exe="/usr/sbin/httpd" 
>> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>> 
>> 
>> 
>> 
> 
> Try this:
> 
> yum install policycoreutils-python setroubleshoot-server
> 
> Now use the audit2allow and semanage utilities to tell you what
> SEbooleans to set or what to include in a custom policy.
> Information from 2010 is out of date for SELinux on CentOS-6,
> assuming that you are in fact running the latest version, much less
> stuff from 2005.
> 
> HTH
> 

Actually the combination of two booleans would have also allowed this
access.

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_list_auto_mountpoints(httpd_t)
	fs_read_nfs_files(httpd_t)
	fs_read_nfs_symlinks(httpd_t)
')

But if you are not allowing apache to look in users homedirs,
httpd_use_nfs is more secure.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk89O2YACgkQrlYvE4MpobO2QACgh4bXtGnbl3tR79dVb8uq42Jt
dlEAljnV14BDxlFELIRC6GHffqIyyqU=
=j+oC
-----END PGP SIGNATURE-----