1nfsd_selinux(8) SELinux Policy nfsd nfsd_selinux(8)
2
3
4
6 nfsd_selinux - Security Enhanced Linux Policy for the nfsd processes
7
9 Security-Enhanced Linux secures the nfsd processes via flexible manda‐
10 tory access control.
11
12 The nfsd processes execute with the nfsd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep nfsd_t
19
20
21
23 The nfsd_t SELinux type can be entered via the nfsd_exec_t file type.
24
25 The default entrypoint paths for the nfsd_t domain are the following:
26
27 /usr/lib/systemd/system-generators/nfs.*, /usr/sbin/rpc.nfsd,
28 /usr/sbin/rpc.mountd
29
31 SELinux defines process types (domains) for each process running on the
32 system
33
34 You can see the context of a process using the -Z option to ps
35
36 Policy governs the access confined processes have to files. SELinux
37 nfsd policy is very flexible allowing users to setup their nfsd pro‐
38 cesses in as secure a method as possible.
39
40 The following process types are defined for nfsd:
41
42 nfsd_t
43
44 Note: semanage permissive -a nfsd_t can be used to make the process
45 type nfsd_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
49
51 SELinux policy is customizable based on least access required. nfsd
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run nfsd with the tightest access possible.
54
55
56
57 If you want to allow any files/directories to be exported read/only via
58 NFS, you must turn on the nfs_export_all_ro boolean. Enabled by
59 default.
60
61 setsebool -P nfs_export_all_ro 1
62
63
64
65 If you want to allow any files/directories to be exported read/write
66 via NFS, you must turn on the nfs_export_all_rw boolean. Enabled by
67 default.
68
69 setsebool -P nfs_export_all_rw 1
70
71
72
73 If you want to allow users to resolve user passwd entries directly from
74 ldap rather then using a sssd server, you must turn on the authlo‐
75 gin_nsswitch_use_ldap boolean. Disabled by default.
76
77 setsebool -P authlogin_nsswitch_use_ldap 1
78
79
80
81 If you want to allow all domains to execute in fips_mode, you must turn
82 on the fips_mode boolean. Enabled by default.
83
84 setsebool -P fips_mode 1
85
86
87
88 If you want to allow confined applications to run with kerberos, you
89 must turn on the kerberos_enabled boolean. Enabled by default.
90
91 setsebool -P kerberos_enabled 1
92
93
94
95 If you want to allow system to run with NIS, you must turn on the
96 nis_enabled boolean. Disabled by default.
97
98 setsebool -P nis_enabled 1
99
100
101
102 If you want to allow confined applications to use nscd shared memory,
103 you must turn on the nscd_use_shm boolean. Disabled by default.
104
105 setsebool -P nscd_use_shm 1
106
107
108
110 SELinux defines port types to represent TCP and UDP ports.
111
112 You can see the types associated with a port by using the following
113 command:
114
115 semanage port -l
116
117
118 Policy governs the access confined processes have to these ports.
119 SELinux nfsd policy is very flexible allowing users to setup their nfsd
120 processes in as secure a method as possible.
121
122 The following port types are defined for nfsd:
123
124
125 nfs_port_t
126
127
128
129 Default Defined Ports:
130 tcp 2049,20048-20049
131 udp 2049,20048-20049
132
134 The SELinux process type nfsd_t can manage files labeled with the fol‐
135 lowing file types. The paths listed are the default paths for these
136 file types. Note the processes UID still need to have DAC permissions.
137
138 cluster_conf_t
139
140 /etc/cluster(/.*)?
141
142 cluster_var_lib_t
143
144 /var/lib/pcsd(/.*)?
145 /var/lib/cluster(/.*)?
146 /var/lib/openais(/.*)?
147 /var/lib/pengine(/.*)?
148 /var/lib/corosync(/.*)?
149 /usr/lib/heartbeat(/.*)?
150 /var/lib/heartbeat(/.*)?
151 /var/lib/pacemaker(/.*)?
152
153 cluster_var_run_t
154
155 /var/run/crm(/.*)?
156 /var/run/cman_.*
157 /var/run/rsctmp(/.*)?
158 /var/run/aisexec.*
159 /var/run/heartbeat(/.*)?
160 /var/run/corosync-qnetd(/.*)?
161 /var/run/corosync-qdevice(/.*)?
162 /var/run/corosync.pid
163 /var/run/cpglockd.pid
164 /var/run/rgmanager.pid
165 /var/run/cluster/rgmanager.sk
166
167 fsadm_var_run_t
168
169 /var/run/blkid(/.*)?
170
171 glusterd_log_t
172
173 /var/log/glusterfs(/.*)?
174
175 glusterd_var_run_t
176
177 /var/run/gluster(/.*)?
178 /var/run/glusterd.*
179 /var/run/glusterd.*
180 /var/run/glusterd(/.*)?
181
182 mount_var_run_t
183
184 /run/mount(/.*)?
185 /dev/.mount(/.*)?
186 /var/run/mount(/.*)?
187 /var/run/davfs2(/.*)?
188 /var/cache/davfs2(/.*)?
189
190 nfsd_fs_t
191
192
193 nfsd_tmp_t
194
195
196 nfsd_unit_file_t
197
198 /usr/lib/systemd/system/nfs.*
199
200 public_content_rw_t
201
202 /var/spool/abrt-upload(/.*)?
203
204 root_t
205
206 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
207 /
208 /initrd
209
210 rpcd_var_run_t
211
212 /var/run/sm-notify.*
213 /var/run/rpc.statd(/.*)?
214 /var/run/rpc.statd.pid
215
216 var_lib_nfs_t
217
218 /var/lib/nfs(/.*)?
219
220 var_lib_t
221
222 /opt/(.*/)?var/lib(/.*)?
223 /var/lib(/.*)?
224
225
227 SELinux requires files to have an extended attribute to define the file
228 type.
229
230 You can see the context of a file using the -Z option to ls
231
232 Policy governs the access confined processes have to these files.
233 SELinux nfsd policy is very flexible allowing users to setup their nfsd
234 processes in as secure a method as possible.
235
236 STANDARD FILE CONTEXT
237
238 SELinux defines the file context types for the nfsd, if you wanted to
239 store files with these types in a diffent paths, you need to execute
240 the semanage command to sepecify alternate labeling and then use
241 restorecon to put the labels on disk.
242
243 semanage fcontext -a -t nfsd_tmp_t '/srv/mynfsd_content(/.*)?'
244 restorecon -R -v /srv/mynfsd_content
245
246 Note: SELinux often uses regular expressions to specify labels that
247 match multiple files.
248
249 The following file types are defined for nfsd:
250
251
252
253 nfsd_exec_t
254
255 - Set files with the nfsd_exec_t type, if you want to transition an
256 executable to the nfsd_t domain.
257
258
259 Paths:
260 /usr/lib/systemd/system-generators/nfs.*, /usr/sbin/rpc.nfsd,
261 /usr/sbin/rpc.mountd
262
263
264 nfsd_fs_t
265
266 - Set files with the nfsd_fs_t type, if you want to treat the files as
267 nfsd fs data.
268
269
270
271 nfsd_initrc_exec_t
272
273 - Set files with the nfsd_initrc_exec_t type, if you want to transition
274 an executable to the nfsd_initrc_t domain.
275
276
277
278 nfsd_tmp_t
279
280 - Set files with the nfsd_tmp_t type, if you want to store nfsd tempo‐
281 rary files in the /tmp directories.
282
283
284
285 nfsd_unit_file_t
286
287 - Set files with the nfsd_unit_file_t type, if you want to treat the
288 files as nfsd unit content.
289
290
291
292 Note: File context can be temporarily modified with the chcon command.
293 If you want to permanently change the file context you need to use the
294 semanage fcontext command. This will modify the SELinux labeling data‐
295 base. You will need to use restorecon to apply the labels.
296
297
299 If you want to share files with multiple domains (Apache, FTP, rsync,
300 Samba), you can set a file context of public_content_t and public_con‐
301 tent_rw_t. These context allow any of the above domains to read the
302 content. If you want a particular domain to write to the public_con‐
303 tent_rw_t domain, you must set the appropriate boolean.
304
305 Allow nfsd servers to read the /var/nfsd directory by adding the pub‐
306 lic_content_t file type to the directory and by restoring the file
307 type.
308
309 semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
310 restorecon -F -R -v /var/nfsd
311
312 Allow nfsd servers to read and write /var/nfsd/incoming by adding the
313 public_content_rw_t type to the directory and by restoring the file
314 type. You also need to turn on the nfsd_anon_write boolean.
315
316 semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
317 restorecon -F -R -v /var/nfsd/incoming
318 setsebool -P nfsd_anon_write 1
319
320
321 If you want to allow nfs servers to modify public files used for public
322 file transfer services. Files/Directories must be labeled public_con‐
323 tent_rw_t., you must turn on the nfsd_anon_write boolean.
324
325 setsebool -P nfsd_anon_write 1
326
327
329 semanage fcontext can also be used to manipulate default file context
330 mappings.
331
332 semanage permissive can also be used to manipulate whether or not a
333 process type is permissive.
334
335 semanage module can also be used to enable/disable/install/remove pol‐
336 icy modules.
337
338 semanage port can also be used to manipulate the port definitions
339
340 semanage boolean can also be used to manipulate the booleans
341
342
343 system-config-selinux is a GUI tool available to customize SELinux pol‐
344 icy settings.
345
346
348 This manual page was auto-generated using sepolicy manpage .
349
350
352 selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
353 setsebool(8)
354
355
356
357nfsd 19-06-18 nfsd_selinux(8)