Description of problem: Similar to the issue fixed for RHEL 6 in BZ 911541 , a fix is required for RHEL 5 If glusterfs-fuse mount is used for the web-site content directory, the httpd process is prevented from accessing the content by SELinux. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-338.el5 selinux-policy-targeted-2.4.6-338.el5 How reproducible: Steps to Reproduce: 1.set up an Red Hat Storage (RHS) server to provide a gluster volume, with the web content 2.mount the gluster volume on a web server system, using glusterfs-fuse mount, at the Document Root of the web site, and try to start the httpd service. 3. The '-o context='system_u:object_r:httpd_sys_content_t:s0'' mount option does not work for the gluster fuse mount, and it is the same in RHEL 6. So that possibility of a workaround step is not available. 4. The 'httpd_use_fusefs' SELinux boolean was introduced in RHEL 6 to fix this. That boolean is not available for RHEL 5. ------------------------------------------------------- # mount -t glusterfs -o context='system_u:object_r:httpd_sys_content_t:s0' RHSvm08:/APPstore /var/www/html/ unknown option context (ignored) # ls -dZ /var/www/html/ drwxr-xr-x root root system_u:object_r:fusefs_t /var/www/html/ # service httpd start Starting httpd: Syntax error on line 281 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a directory [FAILED] # getsebool -a | grep httpd_use httpd_use_cifs --> off httpd_use_nfs --> off ------------------------------------------------------- The audit log message: type=AVC msg=audit(1363720337.479:16): avc: denied { getattr } for pid=2768 comm="httpd" path="/var/www/html" dev=fuse ino=1 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir type=SYSCALL msg=audit(1363720337.479:16): arch=c000003e syscall=4 success=no exit=-13 a0=2b2c38815720 a1=7fff9dc3f120 a2=7fff9dc3f120 a3=0 items=0 ppid=2767 pid=2768 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) Actual results: httpd (httpd_t)cannot access web content stored in a gluster volume, mounted using gluster-fuse (fusefs_t) mount method. Expected results: httpd should be able to access web content stored in a gluster volume, mounted using gluster-fuse mount method. Additional info: If the gluster volume is mounted using nfs, and the 'httpd_use_nfs' boolean is turned on, httpd is able to be started up, and it can access the web content.
We have fixes in RHEL6. Will back port.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1312.html