Re: {Disarmed} Re: [twincling] Problems using sshfs to mount remote directory in /var/www/html

Wed, 15 Apr 2009 03:27:19 -0700 

On Wed, 15 Apr 2009, Dhiraj Chawla wrote:

> Hello Mr. Saifi,
> 
> Thanks a lot. It worked after doing "setenforce 0".
> 
> Can you please explain me what was the reason behind sshfs not working
> earlier. Below is the logs of audit.log and auto.master
> 

Re-writing the log entry for better understanding:

type=AVC_PATH msg=audit(1239676549.201:1256): 
  path="/var/www/html/cluster"

type=AVC msg=audit(1239676549.201:1257): 
  avc:  denied  { getattr } 
    for pid=14182 comm="httpd" name="cluster" dev=dm-0 ino=1936418

scontext=system_u:system_r:httpd_t:s0

tcontext=root:object_r:user_home_t:s0 tclass=dir

type=SYSCALL msg=audit(1239676549.201:1257): 
  arch=40000003 
  syscall=196
  success=no 
  exit=-13 
  a0=81e11050 a1=bffb941c a2=280ff4 a3=2008171 items=0
  ppid=2291 
  pid=14182 
  auid=4294967295 
   uid=48  gid=48  euid=48 suid=48 fsuid=48
  egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
  subj=system_u:system_r:httpd_t:s0 key=(null)


As part of the SELinux environment all the files created have
'security labels'. Typically, one can see them with 'ls -Z' 
option on F (option not available on all systems).

The terms 'security lablels' and 'security context' are used
interchangeably.

Here is a small lookup table

 Object type   Context type    Storage location
 -----------   ------------    ----------------
  process       domain            proc
  file          file_context      inode

A security context is built as:
  httpd   system_u:system_r:httpd_t
  nfs     system_u:object_r:nfs_t


The SELinux specification talks about a generic format as:

  Users : Roles : Types : MLS comp

MLS : Multi level security
MCS : Multi Category security

AVC gives some idea about (A)ccess (V)iolation as evident from
the type field.

With this background, we understand the log a little better and
can conclude that "denied" is due to the "MLS" enforcement by
SELinux as it recognized that a new mount point has been created
for which it "does not have a proper security context' !

The easiest work around is to use the knowledge about the
SELinux operating modes:
 . Enforcing
 . Permissive
 . Disabled

So, when you issue the follwing command
# setenforce 0

you have effectively set SELinux to 'Disabled' state.

This configuration will be lost when you reboot.

To make the configuration accessible at each reboot, please
update the following file

/etc/selinux/config

with the entry

SELINUX=disabled


Hope this helps. Have a nice day !


thanks
Saifi.

Reply via email to