Description of problem: On my server I correctly get the following AVC by default: ------------------------------------------------------------- Summary: SELinux prevented run.cgi from reading files stored on a NFS filesytem. Detailed Description: SELinux prevented run.cgi from reading files stored on a NFS filesystem. NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux systems. run.cgi attempted to read one or more files or directories from a mounted filesystem of this type. As NFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured run.cgi to read files from a NFS filesystem this access attempt could signal an intrusion attempt. Allowing Access: Changing the "use_nfs_home_dirs" boolean to true will allow this access: "setsebool -P use_nfs_home_dirs=1" Fix Command: setsebool -P use_nfs_home_dirs=1 Additional Information: Source Context unconfined_u:system_r:httpd_sys_script_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects [ dir ] Source run.cgi Source Path /usr/bin/python Port <Unknown> Host <Unknown> Source RPM Packages python-2.6.2-4.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-108.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name use_nfs_home_dirs Host Name cup2.sketchengine.co.uk Platform Linux cup2.sketchengine.co.uk 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 Alert Count 25 First Seen Thu Apr 22 18:37:27 2010 Last Seen Thu Apr 22 23:55:38 2010 Local ID e4e7837d-2d47-411b-b738-fe8cc156a49c Line Numbers 10330, 10331, 10332, 10333, 10336, 10337, 10338, 10345, 10346, 10347, 10348, 10355, 10356, 10357, 10358, 10361, 10362, 10363, 10364, 10369, 10370, 10371, 10372, 10464, 10465, 10466, 10467, 10472, 10473, 10474, 10475, 10490, 10491, 10492, 10493, 10660, 10661, 10662, 10663, 18939, 18940, 18941, 18942, 18943, 18944, 18949, 18950, 18951, 18952, 18953, 18954 Raw Audit Messages type=AVC msg=audit(1271973338.973:42706): avc: denied { search } for pid=16768 comm="run.cgi" name="" dev=0:15 ino=2 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1271973338.973:42706): arch=c000003e syscall=2 success=no exit=-13 a0=d04f58 a1=0 a2=1b6 a3=0 items=0 ppid=16555 pid=16768 auid=500 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=9 comm="run.cgi" exe="/usr/bin/python" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) ---------------------------------------------------- The problem is that it advises to use use_nfs_home_dirs=1, but the correct solution is to allow httpd_use_nfs=1. Version-Release number of selected component (if applicable): selinux-policy-3.6.32-108.fc12.noarch
setroubleshoot-plugins-2.1.50-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12
setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update setroubleshoot-plugins'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12
setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.