Bug 471449
| Summary: | Allowing httpd cgi scripts to write to nfs | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | dwalsh, jkubin, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-12-18 22:05:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Orion, I have tried to reproduce this problem and if I turn on httpd_use_nfs: # setsebool -P httpd_use_nfs 1 I can write to nfs_t with httpd_suexec_t type. Version-Release number of selected component: selinux-policy-3.3.1-111.fc9.noarch libselinux-2.0.61-1.fc9.i386 selinux-policy-devel-3.3.1-111.fc9.noarch selinux-policy-targeted-3.3.1-111.fc9.noarch Indeed, seems fixed. |
Description of problem: I need to let cgi scripts write to nfs volumes. I was seeing: avc: denied {write } for pid=26689 comm="processEvent.cg" name="badEvents.txt" dev=0:1a ino=8610036 scontext=system_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file avc: denied {append } for pid=26874 comm="processEvent.cg" name="badEvents.txt" dev=0:1a ino=8610036 scontext=system_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file Tried turning on httpd_use_nfs but still saw the append error (write may still be an issue, but append may have been the only operation attempted at this point). Using my own policy module to work around for now. Version-Release number of selected component (if applicable): selinux-policy-3.3.1-107.fc9.noarch