1nfsd_selinux(8)               SELinux Policy nfsd              nfsd_selinux(8)
2
3
4

NAME

6       nfsd_selinux - Security Enhanced Linux Policy for the nfsd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the nfsd processes via flexible manda‐
10       tory access control.
11
12       The nfsd processes execute with the nfsd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep nfsd_t
19
20
21

ENTRYPOINTS

23       The nfsd_t SELinux type can be entered via the nfsd_exec_t file type.
24
25       The default entrypoint paths for the nfsd_t domain are the following:
26
27       /usr/lib/systemd/system-generators/nfs.*,           /usr/sbin/rpc.nfsd,
28       /usr/sbin/rpc.mountd
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       nfsd  policy  is  very flexible allowing users to setup their nfsd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for nfsd:
41
42       nfsd_t
43
44       Note: semanage permissive -a nfsd_t can be used  to  make  the  process
45       type  nfsd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  nfsd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run nfsd with the tightest access possible.
54
55
56
57       If you want to allow any files/directories to be exported read/only via
58       NFS, you  must  turn  on  the  nfs_export_all_ro  boolean.  Enabled  by
59       default.
60
61       setsebool -P nfs_export_all_ro 1
62
63
64
65       If  you  want  to allow any files/directories to be exported read/write
66       via NFS, you must turn on the  nfs_export_all_rw  boolean.  Enabled  by
67       default.
68
69       setsebool -P nfs_export_all_rw 1
70
71
72
73       If you want to allow users to resolve user passwd entries directly from
74       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
75       gin_nsswitch_use_ldap boolean. Disabled by default.
76
77       setsebool -P authlogin_nsswitch_use_ldap 1
78
79
80
81       If you want to allow all domains to execute in fips_mode, you must turn
82       on the fips_mode boolean. Enabled by default.
83
84       setsebool -P fips_mode 1
85
86
87
88       If you want to allow confined applications to run  with  kerberos,  you
89       must turn on the kerberos_enabled boolean. Enabled by default.
90
91       setsebool -P kerberos_enabled 1
92
93
94
95       If  you  want  to  allow  system  to run with NIS, you must turn on the
96       nis_enabled boolean. Disabled by default.
97
98       setsebool -P nis_enabled 1
99
100
101
102       If you want to allow confined applications to use nscd  shared  memory,
103       you must turn on the nscd_use_shm boolean. Enabled by default.
104
105       setsebool -P nscd_use_shm 1
106
107
108

PORT TYPES

110       SELinux defines port types to represent TCP and UDP ports.
111
112       You  can  see  the  types associated with a port by using the following
113       command:
114
115       semanage port -l
116
117
118       Policy governs the access  confined  processes  have  to  these  ports.
119       SELinux nfsd policy is very flexible allowing users to setup their nfsd
120       processes in as secure a method as possible.
121
122       The following port types are defined for nfsd:
123
124
125       nfs_port_t
126
127
128
129       Default Defined Ports:
130                 tcp 2049,20048-20049
131                 udp 2049,20048-20049
132

MANAGED FILES

134       The SELinux process type nfsd_t can manage files labeled with the  fol‐
135       lowing  file  types.   The paths listed are the default paths for these
136       file types.  Note the processes UID still need to have DAC permissions.
137
138       cluster_conf_t
139
140            /etc/cluster(/.*)?
141
142       cluster_var_lib_t
143
144            /var/lib/pcsd(/.*)?
145            /var/lib/cluster(/.*)?
146            /var/lib/openais(/.*)?
147            /var/lib/pengine(/.*)?
148            /var/lib/corosync(/.*)?
149            /usr/lib/heartbeat(/.*)?
150            /var/lib/heartbeat(/.*)?
151            /var/lib/pacemaker(/.*)?
152
153       cluster_var_run_t
154
155            /var/run/crm(/.*)?
156            /var/run/cman_.*
157            /var/run/rsctmp(/.*)?
158            /var/run/aisexec.*
159            /var/run/heartbeat(/.*)?
160            /var/run/corosync-qnetd(/.*)?
161            /var/run/corosync-qdevice(/.*)?
162            /var/run/corosync.pid
163            /var/run/cpglockd.pid
164            /var/run/rgmanager.pid
165            /var/run/cluster/rgmanager.sk
166
167       fsadm_var_run_t
168
169            /var/run/blkid(/.*)?
170
171       glusterd_log_t
172
173            /var/log/glusterfs(/.*)?
174
175       glusterd_var_run_t
176
177            /var/run/gluster(/.*)?
178            /var/run/glusterd.*
179            /var/run/glusterd.*
180            /var/run/glusterd(/.*)?
181
182       mount_var_run_t
183
184            /run/mount(/.*)?
185            /dev/.mount(/.*)?
186            /var/run/mount(/.*)?
187            /var/run/davfs2(/.*)?
188            /var/cache/davfs2(/.*)?
189
190       nfsd_fs_t
191
192
193       nfsd_tmp_t
194
195
196       nfsd_unit_file_t
197
198            /usr/lib/systemd/system/nfs.*
199
200       public_content_rw_t
201
202            /var/spool/abrt-upload(/.*)?
203
204       root_t
205
206            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
207            /
208            /initrd
209
210       rpcd_var_run_t
211
212            /var/run/sm-notify.*
213            /var/run/rpc.statd(/.*)?
214            /var/run/rpc.statd.pid
215
216       var_lib_nfs_t
217
218            /var/lib/nfs(/.*)?
219
220       var_lib_t
221
222            /opt/(.*/)?var/lib(/.*)?
223            /var/lib(/.*)?
224
225

FILE CONTEXTS

227       SELinux requires files to have an extended attribute to define the file
228       type.
229
230       You can see the context of a file using the -Z option to ls
231
232       Policy  governs  the  access  confined  processes  have to these files.
233       SELinux nfsd policy is very flexible allowing users to setup their nfsd
234       processes in as secure a method as possible.
235
236       STANDARD FILE CONTEXT
237
238       SELinux  defines  the file context types for the nfsd, if you wanted to
239       store files with these types in a diffent paths, you  need  to  execute
240       the  semanage  command  to  sepecify  alternate  labeling  and then use
241       restorecon to put the labels on disk.
242
243       semanage fcontext -a -t nfsd_tmp_t '/srv/mynfsd_content(/.*)?'
244       restorecon -R -v /srv/mynfsd_content
245
246       Note: SELinux often uses regular expressions  to  specify  labels  that
247       match multiple files.
248
249       The following file types are defined for nfsd:
250
251
252
253       nfsd_exec_t
254
255       -  Set  files  with  the nfsd_exec_t type, if you want to transition an
256       executable to the nfsd_t domain.
257
258
259       Paths:
260            /usr/lib/systemd/system-generators/nfs.*,      /usr/sbin/rpc.nfsd,
261            /usr/sbin/rpc.mountd
262
263
264       nfsd_fs_t
265
266       -  Set files with the nfsd_fs_t type, if you want to treat the files as
267       nfsd fs data.
268
269
270
271       nfsd_initrc_exec_t
272
273       - Set files with the nfsd_initrc_exec_t type, if you want to transition
274       an executable to the nfsd_initrc_t domain.
275
276
277
278       nfsd_tmp_t
279
280       -  Set files with the nfsd_tmp_t type, if you want to store nfsd tempo‐
281       rary files in the /tmp directories.
282
283
284
285       nfsd_unit_file_t
286
287       - Set files with the nfsd_unit_file_t type, if you want  to  treat  the
288       files as nfsd unit content.
289
290
291
292       Note:  File context can be temporarily modified with the chcon command.
293       If you want to permanently change the file context you need to use  the
294       semanage fcontext command.  This will modify the SELinux labeling data‐
295       base.  You will need to use restorecon to apply the labels.
296
297

SHARING FILES

299       If you want to share files with multiple domains (Apache,  FTP,  rsync,
300       Samba),  you can set a file context of public_content_t and public_con‐
301       tent_rw_t.  These context allow any of the above domains  to  read  the
302       content.   If  you want a particular domain to write to the public_con‐
303       tent_rw_t domain, you must set the appropriate boolean.
304
305       Allow nfsd servers to read the /var/nfsd directory by adding  the  pub‐
306       lic_content_t  file  type  to  the  directory and by restoring the file
307       type.
308
309       semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
310       restorecon -F -R -v /var/nfsd
311
312       Allow nfsd servers to read and write /var/nfsd/incoming by  adding  the
313       public_content_rw_t  type  to  the  directory and by restoring the file
314       type.  You also need to turn on the nfsd_anon_write boolean.
315
316       semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
317       restorecon -F -R -v /var/nfsd/incoming
318       setsebool -P nfsd_anon_write 1
319
320
321       If you want to allow nfs servers to modify public files used for public
322       file  transfer services.  Files/Directories must be labeled public_con‐
323       tent_rw_t., you must turn on the nfsd_anon_write boolean.
324
325       setsebool -P nfsd_anon_write 1
326
327

COMMANDS

329       semanage fcontext can also be used to manipulate default  file  context
330       mappings.
331
332       semanage  permissive  can  also  be used to manipulate whether or not a
333       process type is permissive.
334
335       semanage module can also be used to enable/disable/install/remove  pol‐
336       icy modules.
337
338       semanage port can also be used to manipulate the port definitions
339
340       semanage boolean can also be used to manipulate the booleans
341
342
343       system-config-selinux is a GUI tool available to customize SELinux pol‐
344       icy settings.
345
346

AUTHOR

348       This manual page was auto-generated using sepolicy manpage .
349
350

SEE ALSO

352       selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
353       setsebool(8)
354
355
356
357nfsd                               19-10-08                    nfsd_selinux(8)
Impressum