Linux – SELinux context of files mounted from a Solaris server

Something I'm attempting to run in RHEL 6 fails as a result of SELinux. The problem is temporarily easily solved with setenforce 0. However turning SELinux off entirely isn't an option in my case.

The problem is that these files are mounted from an old Solaris machine, and the context of everything loaded is system_u:object_r:nfs_t:s0. I need to modify just a handful of files that are mounted from that machine to httpd_sys_content_t.

Any attempt to do this, however, results in "Operation not supported". The command I am attempting to use is:

chcon -R -h -t httpd_sys_content_t /path/to/my/stuff

From what I can tell, this is because everything from that server is mounted as system_u:object_r:nfs_t:s0. Being Solaris, I can't go to the machine itself and use chcon, as SELinux and chcon don't exist.

The solution I can think of that will work is to just install the same software on this machine, which is RHEL 6, cutting Solaris out all together. I'd like to know if that is my only choice or not.

[root@ditirlns02 ~]# getsebool httpd_use_nfs httpd_use_nfs --> off [root@ditirlns02 ~]# setsebool -P httpd_use_nfs=1 [root@ditirlns02 ~]# getsebool httpd_use_nfs httpd_use_nfs --> on [root@ditirlns02 ~]#

Best Answer

Two options (within SELinux) exist:

1) All else fails audit2allow can convert any SELinux denials into allowed operation.

2) What I would recommend: Enable the SELinux boolean for allowing httpd_t to access nfs_t objects:

Security contexts are set by the machine that mounts the remote filesystem, so Solaris is largely unrelated. Even if the exports were coming from RHEL the NFS exports are still going to be nfs_t and there's not much you can do about that

Best Answer

Related Solutions

Linux – SELinux not allowing read files on ~/.cert

Related Question