1nfsd_selinux(8)               SELinux Policy nfsd              nfsd_selinux(8)
2
3
4

NAME

6       nfsd_selinux - Security Enhanced Linux Policy for the nfsd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the nfsd processes via flexible manda‐
10       tory access control.
11
12       The nfsd processes execute with the nfsd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep nfsd_t
19
20
21

ENTRYPOINTS

23       The nfsd_t SELinux type can be entered via the nfsd_exec_t file type.
24
25       The default entrypoint paths for the nfsd_t domain are the following:
26
27       /usr/lib/systemd/system-generators/nfs.*,           /usr/sbin/rpc.nfsd,
28       /usr/sbin/rpc.mountd, /usr/bin/ganesha.nfsd
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       nfsd  policy  is  very flexible allowing users to setup their nfsd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for nfsd:
41
42       nfsd_t
43
44       Note: semanage permissive -a nfsd_t can be used  to  make  the  process
45       type  nfsd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  nfsd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run nfsd with the tightest access possible.
54
55
56
57       If you want to allow any files/directories to be exported read/only via
58       NFS, you  must  turn  on  the  nfs_export_all_ro  boolean.  Enabled  by
59       default.
60
61       setsebool -P nfs_export_all_ro 1
62
63
64
65       If  you  want  to allow any files/directories to be exported read/write
66       via NFS, you must turn on the  nfs_export_all_rw  boolean.  Enabled  by
67       default.
68
69       setsebool -P nfs_export_all_rw 1
70
71
72
73       If you want to allow users to resolve user passwd entries directly from
74       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
75       gin_nsswitch_use_ldap boolean. Disabled by default.
76
77       setsebool -P authlogin_nsswitch_use_ldap 1
78
79
80
81       If you want to allow all domains to execute in fips_mode, you must turn
82       on the fips_mode boolean. Enabled by default.
83
84       setsebool -P fips_mode 1
85
86
87
88       If you want to allow confined applications to run  with  kerberos,  you
89       must turn on the kerberos_enabled boolean. Enabled by default.
90
91       setsebool -P kerberos_enabled 1
92
93
94
95       If  you  want  to  allow  system  to run with NIS, you must turn on the
96       nis_enabled boolean. Disabled by default.
97
98       setsebool -P nis_enabled 1
99
100
101
102       If you want to allow confined applications to use nscd  shared  memory,
103       you must turn on the nscd_use_shm boolean. Disabled by default.
104
105       setsebool -P nscd_use_shm 1
106
107
108

PORT TYPES

110       SELinux defines port types to represent TCP and UDP ports.
111
112       You  can  see  the  types associated with a port by using the following
113       command:
114
115       semanage port -l
116
117
118       Policy governs the access  confined  processes  have  to  these  ports.
119       SELinux nfsd policy is very flexible allowing users to setup their nfsd
120       processes in as secure a method as possible.
121
122       The following port types are defined for nfsd:
123
124
125       nfs_port_t
126
127
128
129       Default Defined Ports:
130                 tcp 2049,20048-20049
131                 udp 2049,20048-20049
132

MANAGED FILES

134       The SELinux process type nfsd_t can manage files labeled with the  fol‐
135       lowing  file  types.   The paths listed are the default paths for these
136       file types.  Note the processes UID still need to have DAC permissions.
137
138       cluster_conf_t
139
140            /etc/cluster(/.*)?
141
142       cluster_var_lib_t
143
144            /var/lib/pcsd(/.*)?
145            /var/lib/cluster(/.*)?
146            /var/lib/openais(/.*)?
147            /var/lib/pengine(/.*)?
148            /var/lib/corosync(/.*)?
149            /usr/lib/heartbeat(/.*)?
150            /var/lib/heartbeat(/.*)?
151            /var/lib/pacemaker(/.*)?
152
153       cluster_var_run_t
154
155            /var/run/crm(/.*)?
156            /var/run/cman_.*
157            /var/run/rsctmp(/.*)?
158            /var/run/aisexec.*
159            /var/run/heartbeat(/.*)?
160            /var/run/corosync-qnetd(/.*)?
161            /var/run/corosync-qdevice(/.*)?
162            /var/run/corosync.pid
163            /var/run/cpglockd.pid
164            /var/run/rgmanager.pid
165            /var/run/cluster/rgmanager.sk
166
167       fsadm_var_run_t
168
169            /var/run/blkid(/.*)?
170
171       glusterd_log_t
172
173            /var/log/ganesha.log
174            /var/log/ganesha(/.*)?
175            /var/log/glusterfs(/.*)?
176            /var/log/ganesha-gfapi.log
177
178       glusterd_var_run_t
179
180            /var/run/gluster(/.*)?
181            /var/run/glusterd.*
182            /var/run/glusterd.*
183            /var/run/glusterd(/.*)?
184
185       mount_var_run_t
186
187            /run/mount(/.*)?
188            /dev/.mount(/.*)?
189            /var/run/mount(/.*)?
190            /var/run/davfs2(/.*)?
191            /var/cache/davfs2(/.*)?
192
193       nfsd_fs_t
194
195
196       nfsd_tmp_t
197
198
199       nfsd_unit_file_t
200
201            /usr/lib/systemd/system/nfs.*
202            /usr/lib/systemd/system/nfs-ganesha.*e
203            /usr/lib/systemd/system/nfs-ganesha-lock.*
204            /usr/lib/systemd/system/nfs-ganesha-config.*
205
206       public_content_rw_t
207
208            /var/spool/abrt-upload(/.*)?
209
210       root_t
211
212            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
213            /
214            /initrd
215
216       rpcd_var_run_t
217
218            /var/run/ganesha.*
219            /var/run/sm-notify.*
220            /var/run/rpc.statd(/.*)?
221            /var/run/rpc.statd.pid
222
223       var_lib_nfs_t
224
225            /var/lib/nfs(/.*)?
226
227       var_lib_t
228
229            /opt/(.*/)?var/lib(/.*)?
230            /var/lib(/.*)?
231
232

FILE CONTEXTS

234       SELinux requires files to have an extended attribute to define the file
235       type.
236
237       You can see the context of a file using the -Z option to ls
238
239       Policy  governs  the  access  confined  processes  have to these files.
240       SELinux nfsd policy is very flexible allowing users to setup their nfsd
241       processes in as secure a method as possible.
242
243       STANDARD FILE CONTEXT
244
245       SELinux  defines  the file context types for the nfsd, if you wanted to
246       store files with these types in a diffent paths, you  need  to  execute
247       the  semanage  command  to  sepecify  alternate  labeling  and then use
248       restorecon to put the labels on disk.
249
250       semanage fcontext -a -t nfsd_tmp_t '/srv/mynfsd_content(/.*)?'
251       restorecon -R -v /srv/mynfsd_content
252
253       Note: SELinux often uses regular expressions  to  specify  labels  that
254       match multiple files.
255
256       The following file types are defined for nfsd:
257
258
259
260       nfsd_exec_t
261
262       -  Set  files  with  the nfsd_exec_t type, if you want to transition an
263       executable to the nfsd_t domain.
264
265
266       Paths:
267            /usr/lib/systemd/system-generators/nfs.*,      /usr/sbin/rpc.nfsd,
268            /usr/sbin/rpc.mountd, /usr/bin/ganesha.nfsd
269
270
271       nfsd_fs_t
272
273       -  Set files with the nfsd_fs_t type, if you want to treat the files as
274       nfsd fs data.
275
276
277
278       nfsd_initrc_exec_t
279
280       - Set files with the nfsd_initrc_exec_t type, if you want to transition
281       an executable to the nfsd_initrc_t domain.
282
283
284
285       nfsd_tmp_t
286
287       -  Set files with the nfsd_tmp_t type, if you want to store nfsd tempo‐
288       rary files in the /tmp directories.
289
290
291
292       nfsd_unit_file_t
293
294       - Set files with the nfsd_unit_file_t type, if you want  to  treat  the
295       files as nfsd unit content.
296
297
298       Paths:
299            /usr/lib/systemd/system/nfs.*,   /usr/lib/systemd/system/nfs-gane‐
300            sha.*e, /usr/lib/systemd/system/nfs-ganesha-lock.*,  /usr/lib/sys‐
301            temd/system/nfs-ganesha-config.*
302
303
304       Note:  File context can be temporarily modified with the chcon command.
305       If you want to permanently change the file context you need to use  the
306       semanage fcontext command.  This will modify the SELinux labeling data‐
307       base.  You will need to use restorecon to apply the labels.
308
309

SHARING FILES

311       If you want to share files with multiple domains (Apache,  FTP,  rsync,
312       Samba),  you can set a file context of public_content_t and public_con‐
313       tent_rw_t.  These context allow any of the above domains  to  read  the
314       content.   If  you want a particular domain to write to the public_con‐
315       tent_rw_t domain, you must set the appropriate boolean.
316
317       Allow nfsd servers to read the /var/nfsd directory by adding  the  pub‐
318       lic_content_t  file  type  to  the  directory and by restoring the file
319       type.
320
321       semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
322       restorecon -F -R -v /var/nfsd
323
324       Allow nfsd servers to read and write /var/nfsd/incoming by  adding  the
325       public_content_rw_t  type  to  the  directory and by restoring the file
326       type.  You also need to turn on the nfsd_anon_write boolean.
327
328       semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
329       restorecon -F -R -v /var/nfsd/incoming
330       setsebool -P nfsd_anon_write 1
331
332
333       If you want to allow nfs servers to modify public files used for public
334       file  transfer services.  Files/Directories must be labeled public_con‐
335       tent_rw_t., you must turn on the nfsd_anon_write boolean.
336
337       setsebool -P nfsd_anon_write 1
338
339

COMMANDS

341       semanage fcontext can also be used to manipulate default  file  context
342       mappings.
343
344       semanage  permissive  can  also  be used to manipulate whether or not a
345       process type is permissive.
346
347       semanage module can also be used to enable/disable/install/remove  pol‐
348       icy modules.
349
350       semanage port can also be used to manipulate the port definitions
351
352       semanage boolean can also be used to manipulate the booleans
353
354
355       system-config-selinux is a GUI tool available to customize SELinux pol‐
356       icy settings.
357
358

AUTHOR

360       This manual page was auto-generated using sepolicy manpage .
361
362

SEE ALSO

364       selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
365       setsebool(8)
366
367
368
369nfsd                               19-05-30                    nfsd_selinux(8)
Impressum