Apache accessing nfs mounted dir with selinux enabled on CentOS 4.x

I had recently to modify/add some selinux policies on a CentOS 4.7 machine running in the DMZ network. The goal was to mount (through the Firewall between the DMZ and the production network) a exported NFS dir (from a CentOS 5.2 machine in the production lan) to a CentOS 4.7 machine. The second goal was to permit the httpd process on that CentOS 4.7 to browse and read file from that NFS dir.

The first goal was met by configuring properly the ports used on the NFS server (basically you can follow Jim's advice on that point but you can easily change port numbers of course) otherwise it's gonna be a nightmare to manage if you don't know in advance which ports need to be opened in your firewall ;-)

But the *Fun* really began when i tried to access that NFS dir from Apache/httpd : of course it doesn't work with selinux enabled .. Does that mean that you have to disable selinux on a machine sitting in the DMZ and exposed on the Wild internet through the httpd process ? No !

While several folks adviced that, don't do it .. On the other hand, it's true that modifying selinux booleans/policies is easier on CentOS 5.x than it was on 4.x ...

Thanks to help from other CentOS folks hanging in #centos-social (akaRange, our selinux guy :-p , and ivazquez), i was able to refresh my mind on selinux policies on CentOS 4.x. audit2allow permits you to scan your denied attempts and so to create new policies. On CentOS 4.x there are not a lot of selinux booleans you can modify (`getsebool -a|wc -l` returning 26 on 4.x and 213 on 5.x) and audit2allow doesn't include the -M option on 4.x to create a new module that can be inserted later on.

So how to create (and so use) your new policy on 4.x ? Let's use audit2allow first to see what we need (in our case let the httpd process access nfs mounted dir and read files ) : `audit2allow -l -i /var/log/messages` : that returns us a list of interesting stuff.

To create a new rule, you need to install the selinux-policy-targeted-sources package. Then you need to create a new file under /etc/selinux/targeted/src/policy/domains/misc (for example httpnfs.te) and then launch `make load` in /etc/selinux/targeted/src/policy to load your newly created rules.

For example, my /etc/selinux/targeted/src/policy/domains/misc/httpnfs.te contains :

allow httpd_t nfs_t:dir { getattr read search };
allow httpd_t nfs_t:file getattr;
allow httpd_t nfs_t:file read;
Voila, that was a 'quick refresh' on selinux on CentOS 4.x .. and i hope someone will find this useful too :D

Arrfab's blog Some tips and tricks, mostly around CentOS

Apache accessing nfs mounted dir with selinux enabled on CentOS 4.x