-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/16/2012 12:13 PM, James B. Byrne wrote: > > On Thu, February 16, 2012 07:35, Lars Hecking wrote: >> >> Apache DocumentRoot on an NFS directory: >> >> [root at localhost ~]# service httpd start Starting httpd: Warning: >> DocumentRoot [/home/www/html] does not exist Syntax error on line >> 292 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a >> directory [FAILED] [root at localhost ~]# >> >> After some research, I found this (dated) link >> >> http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html >> >> and followed the suggestion, setsebool -P use_nfs_home_dirs=1. >> But I still can't start httpd. Not sure what to make of the >> audit log: >> >> type=AVC msg=audit(1329395502.678:61926): avc: denied { search >> } for pid=25674 comm="httpd" name="" dev=0:23 ino=3471615 >> scontext=unconfined_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL >> msg=audit(1329395502.678:61926): arch=c000003e syscall=4 >> success=no exit=-13 a0=7fef342bc080 a1=7fffaf747370 >> a2=7fffaf747370 a3=7fef30c65c30 items=0 ppid=25673 pid=25674 >> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >> tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" >> subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC >> msg=audit(1329395502.681:61927): avc: denied { search } for >> pid=25674 comm="httpd" name="" dev=0:23 ino=3471615 >> scontext=unconfined_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL >> msg=audit(1329395502.681:61927): arch=c000003e syscall=4 >> success=no exit=-13 a0=7fef342eae68 a1=7fffaf747630 >> a2=7fffaf747630 a3=50 items=0 ppid=25673 pid=25674 auid=0 uid=0 >> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 >> comm="httpd" exe="/usr/sbin/httpd" >> subj=unconfined_u:system_r:httpd_t:s0 key=(null) >> >> >> >> > > Try this: > > yum install policycoreutils-python setroubleshoot-server > > Now use the audit2allow and semanage utilities to tell you what > SEbooleans to set or what to include in a custom policy. > Information from 2010 is out of date for SELinux on CentOS-6, > assuming that you are in fact running the latest version, much less > stuff from 2005. > > HTH > Actually the combination of two booleans would have also allowed this access. tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_list_auto_mountpoints(httpd_t) fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') But if you are not allowing apache to look in users homedirs, httpd_use_nfs is more secure. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk89O2YACgkQrlYvE4MpobO2QACgh4bXtGnbl3tR79dVb8uq42Jt dlEAljnV14BDxlFELIRC6GHffqIyyqU= =j+oC -----END PGP SIGNATURE-----