nfsd_selinux(8)

1nfsd_selinux(8)               SELinux Policy nfsd              nfsd_selinux(8)
2
3
4

NAME

6       nfsd_selinux - Security Enhanced Linux Policy for the nfsd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the nfsd processes via flexible manda‐
10       tory access control.
11
12       The nfsd processes execute with the nfsd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep nfsd_t
19
20
21

ENTRYPOINTS

23       The nfsd_t SELinux type can be entered via the nfsd_exec_t file type.
24
25       The default entrypoint paths for the nfsd_t domain are the following:
26
27       /usr/lib/systemd/system-generators/nfs.*,           /usr/sbin/rpc.nfsd,
28       /usr/sbin/rpc.mountd
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       nfsd  policy  is  very flexible allowing users to setup their nfsd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for nfsd:
41
42       nfsd_t
43
44       Note: semanage permissive -a nfsd_t can be used  to  make  the  process
45       type  nfsd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  nfsd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run nfsd with the tightest access possible.
54
55
56
57       If you want to allow any files/directories to be exported read/only via
58       NFS, you  must  turn  on  the  nfs_export_all_ro  boolean.  Enabled  by
59       default.
60
61       setsebool -P nfs_export_all_ro 1
62
63
64
65       If  you  want  to allow any files/directories to be exported read/write
66       via NFS, you must turn on the  nfs_export_all_rw  boolean.  Enabled  by
67       default.
68
69       setsebool -P nfs_export_all_rw 1
70
71
72
73       If you want to allow all domains to execute in fips_mode, you must turn
74       on the fips_mode boolean. Enabled by default.
75
76       setsebool -P fips_mode 1
77
78
79

PORT TYPES

81       SELinux defines port types to represent TCP and UDP ports.
82
83       You can see the types associated with a port  by  using  the  following
84       command:
85
86       semanage port -l
87
88
89       Policy  governs  the  access  confined  processes  have to these ports.
90       SELinux nfsd policy is very flexible allowing users to setup their nfsd
91       processes in as secure a method as possible.
92
93       The following port types are defined for nfsd:
94
95
96       nfs_port_t
97
98
99
100       Default Defined Ports:
101                 tcp 2049,20048-20049
102                 udp 2049,20048-20049
103

MANAGED FILES

105       The  SELinux process type nfsd_t can manage files labeled with the fol‐
106       lowing file types.  The paths listed are the default  paths  for  these
107       file types.  Note the processes UID still need to have DAC permissions.
108
109       cluster_conf_t
110
111            /etc/cluster(/.*)?
112
113       cluster_var_lib_t
114
115            /var/lib/pcsd(/.*)?
116            /var/lib/cluster(/.*)?
117            /var/lib/openais(/.*)?
118            /var/lib/pengine(/.*)?
119            /var/lib/corosync(/.*)?
120            /usr/lib/heartbeat(/.*)?
121            /var/lib/heartbeat(/.*)?
122            /var/lib/pacemaker(/.*)?
123
124       cluster_var_run_t
125
126            /var/run/crm(/.*)?
127            /var/run/cman_.*
128            /var/run/rsctmp(/.*)?
129            /var/run/aisexec.*
130            /var/run/heartbeat(/.*)?
131            /var/run/corosync-qnetd(/.*)?
132            /var/run/corosync-qdevice(/.*)?
133            /var/run/corosync.pid
134            /var/run/cpglockd.pid
135            /var/run/rgmanager.pid
136            /var/run/cluster/rgmanager.sk
137
138       fsadm_var_run_t
139
140            /var/run/blkid(/.*)?
141
142       glusterd_log_t
143
144            /var/log/glusterfs(/.*)?
145
146       glusterd_var_run_t
147
148            /var/run/gluster(/.*)?
149            /var/run/glusterd.*
150            /var/run/glusterd.*
151            /var/run/glusterd(/.*)?
152
153       mount_var_run_t
154
155            /run/mount(/.*)?
156            /dev/.mount(/.*)?
157            /var/run/mount(/.*)?
158            /var/run/davfs2(/.*)?
159            /var/cache/davfs2(/.*)?
160
161       nfsd_fs_t
162
163
164       nfsd_unit_file_t
165
166            /usr/lib/systemd/system/nfs.*
167
168       root_t
169
170            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
171            /
172            /initrd
173
174       rpcd_var_run_t
175
176            /var/run/sm-notify.*
177            /var/run/rpc.statd(/.*)?
178            /var/run/rpc.statd.pid
179
180       var_lib_nfs_t
181
182            /var/lib/nfs(/.*)?
183
184       var_lib_t
185
186            /opt/(.*/)?var/lib(/.*)?
187            /var/lib(/.*)?
188
189

FILE CONTEXTS

191       SELinux requires files to have an extended attribute to define the file
192       type.
193
194       You can see the context of a file using the -Z option to ls
195
196       Policy governs the access  confined  processes  have  to  these  files.
197       SELinux nfsd policy is very flexible allowing users to setup their nfsd
198       processes in as secure a method as possible.
199
200       STANDARD FILE CONTEXT
201
202       SELinux defines the file context types for the nfsd, if you  wanted  to
203       store  files  with  these types in a diffent paths, you need to execute
204       the semanage command  to  sepecify  alternate  labeling  and  then  use
205       restorecon to put the labels on disk.
206
207       semanage fcontext -a -t nfsd_tmp_t '/srv/mynfsd_content(/.*)?'
208       restorecon -R -v /srv/mynfsd_content
209
210       Note:  SELinux  often  uses  regular expressions to specify labels that
211       match multiple files.
212
213       The following file types are defined for nfsd:
214
215
216
217       nfsd_exec_t
218
219       - Set files with the nfsd_exec_t type, if you  want  to  transition  an
220       executable to the nfsd_t domain.
221
222
223       Paths:
224            /usr/lib/systemd/system-generators/nfs.*,      /usr/sbin/rpc.nfsd,
225            /usr/sbin/rpc.mountd
226
227
228       nfsd_fs_t
229
230       - Set files with the nfsd_fs_t type, if you want to treat the files  as
231       nfsd fs data.
232
233
234
235       nfsd_initrc_exec_t
236
237       - Set files with the nfsd_initrc_exec_t type, if you want to transition
238       an executable to the nfsd_initrc_t domain.
239
240
241
242       nfsd_tmp_t
243
244       - Set files with the nfsd_tmp_t type, if you want to store nfsd  tempo‐
245       rary files in the /tmp directories.
246
247
248
249       nfsd_unit_file_t
250
251       -  Set  files  with the nfsd_unit_file_t type, if you want to treat the
252       files as nfsd unit content.
253
254
255
256       Note: File context can be temporarily modified with the chcon  command.
257       If  you want to permanently change the file context you need to use the
258       semanage fcontext command.  This will modify the SELinux labeling data‐
259       base.  You will need to use restorecon to apply the labels.
260
261

SHARING FILES

263       If  you  want to share files with multiple domains (Apache, FTP, rsync,
264       Samba), you can set a file context of public_content_t and  public_con‐
265       tent_rw_t.   These  context  allow any of the above domains to read the
266       content.  If you want a particular domain to write to  the  public_con‐
267       tent_rw_t domain, you must set the appropriate boolean.
268
269       Allow  nfsd  servers to read the /var/nfsd directory by adding the pub‐
270       lic_content_t file type to the directory  and  by  restoring  the  file
271       type.
272
273       semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
274       restorecon -F -R -v /var/nfsd
275
276       Allow  nfsd  servers to read and write /var/nfsd/incoming by adding the
277       public_content_rw_t type to the directory and  by  restoring  the  file
278       type.  You also need to turn on the nfsd_anon_write boolean.
279
280       semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
281       restorecon -F -R -v /var/nfsd/incoming
282       setsebool -P nfsd_anon_write 1
283
284
285       If you want to allow nfs servers to modify public files used for public
286       file transfer services.  Files/Directories must be labeled  public_con‐
287       tent_rw_t., you must turn on the nfsd_anon_write boolean.
288
289       setsebool -P nfsd_anon_write 1
290
291

COMMANDS

293       semanage  fcontext  can also be used to manipulate default file context
294       mappings.
295
296       semanage permissive can also be used to manipulate  whether  or  not  a
297       process type is permissive.
298
299       semanage  module can also be used to enable/disable/install/remove pol‐
300       icy modules.
301
302       semanage port can also be used to manipulate the port definitions
303
304       semanage boolean can also be used to manipulate the booleans
305
306
307       system-config-selinux is a GUI tool available to customize SELinux pol‐
308       icy settings.
309
310

AUTHOR

312       This manual page was auto-generated using sepolicy manpage .
313
314