Hi,
the problem is in the permission of httpd to acces nfsen.comm socket file.
When you view the page with enabled selinux (enforcing or permissive),
you should see so called AVC message in /var/log/audit/audit.log (the
whole message is at the end). The most important fields are:
path="/data/nfsen/var/run/nfsen.comm"
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:default_t
tclass=sock_file
which means, that httpd with type httpd_t cannot read sock_file with
type default_t. The solution is to set the nfsen.comm such a type httpd
can access (the whole list of such contexts can be listed by "sesearch
-s httpd_t -c sock_file --allow"). Solution can then look like this:
semanage fcontext -a -t httpd_var_run_t /data/nfsen/var/run/nfsen.comm
restorecon -Rv /data/nfsen/var/run/
The restorecon should say that it changed type in context of nfsen.comm
file to httpd_var_run_t. And now it should work. Here is the whole AVC
message, the path can be of course different:
time->Sun Dec 2 14:10:50 2012
type=SYSCALL msg=audit(1354453850.276:285): arch=c000003e syscall=42
success=yes exit=0 a0=b a1=7fff0365ddf0 a2=20 a3=666e2f617461642f
items=0 ppid=1664 pid=1672 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354453850.276:285): avc: denied { connectto } for
pid=1672 comm="httpd" path="/data/nfsen/var/run/nfsen.comm"
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
type=AVC msg=audit(1354453850.276:285): avc: denied { write } for
pid=1672 comm="httpd" name="nfsen.comm" dev="sda2" ino=1181791
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=sock_file
Michal Trunecka
On 02/16/2013 05:21 AM, Mark M wrote:
> HI,
>
> I got Nfsen installed and i can only access the web site if I have
> selinux disabled. I looked in the audit log and it looks like I am
> having that nfsen.comm selinux problem. I see people talking about this
> but no definite solutions. Does anyone know how i can apply the proper
> permissions or set the selinux to disabled only for that file? I want to
> keep selinux working if possible. Everything works fine if i disable
> selinux.
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
