SELinux Apache Allow To Serve The Contents Of a Loopback Mounted ISO Image

Q. How do I configure CentOS Linux SELinux security to permit httpd 2.2 (Apache web server) to serve the contents of a loopback mounted ISO images located at /var/www/html/lan/iso directory?

A. You need to use the context= option with mount command, which is useful when mounting filesystems that do not support extended attributes, such as a floppy or hard disk formatted with VFAT, or systems that are not normally running under SELinux, such as an ext3 formatted disk from a non-SELinux workstation. You can also use context= on filesystems you do not trust, such as a floppy. It also helps in compatibility with xattr supporting filesystems on earlier 2.4. kernel versions. Even where xattrs are supported, you can save time not having to label every file by assigning the entire disk one security context. A commonly used option for removable media is context=system_u:object_r:removable_t.

Here is the command you need to use with your system:
# mount -o loop,context=system_u:object_r:httpd_sys_content_t /path/to/image.iso /var/www/html/lan/iso

Above will give Apache policy a security context of system_u:object_r:httpd_sys_content_t. Refer selinux policy help pages for further information.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft: