1nfsd_selinux(8)               SELinux Policy nfsd              nfsd_selinux(8)
2
3
4

NAME

6       nfsd_selinux - Security Enhanced Linux Policy for the nfsd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the nfsd processes via flexible manda‐
10       tory access control.
11
12       The nfsd processes execute with the nfsd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep nfsd_t
19
20
21

ENTRYPOINTS

23       The nfsd_t SELinux type can be entered via the nfsd_exec_t file type.
24
25       The default entrypoint paths for the nfsd_t domain are the following:
26
27       /usr/lib/systemd/system-generators/nfs.*,           /usr/sbin/rpc.nfsd,
28       /usr/sbin/rpc.mountd
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       nfsd  policy  is  very flexible allowing users to setup their nfsd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for nfsd:
41
42       nfsd_t
43
44       Note: semanage permissive -a nfsd_t can be used  to  make  the  process
45       type  nfsd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  nfsd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run nfsd with the tightest access possible.
54
55
56
57       If you want to allow any files/directories to be exported read/only via
58       NFS, you must turn on the nfs_export_all_ro  boolean.  Enabled  by  de‐
59       fault.
60
61       setsebool -P nfs_export_all_ro 1
62
63
64
65       If  you  want  to allow any files/directories to be exported read/write
66       via NFS, you must turn on the nfs_export_all_rw boolean. Enabled by de‐
67       fault.
68
69       setsebool -P nfs_export_all_rw 1
70
71
72
73       If you want to allow all domains to execute in fips_mode, you must turn
74       on the fips_mode boolean. Enabled by default.
75
76       setsebool -P fips_mode 1
77
78
79

PORT TYPES

81       SELinux defines port types to represent TCP and UDP ports.
82
83       You can see the types associated with a port  by  using  the  following
84       command:
85
86       semanage port -l
87
88
89       Policy  governs  the  access  confined  processes  have to these ports.
90       SELinux nfsd policy is very flexible allowing users to setup their nfsd
91       processes in as secure a method as possible.
92
93       The following port types are defined for nfsd:
94
95
96       nfs_port_t
97
98
99
100       Default Defined Ports:
101                 tcp 2049,20048-20049
102                 udp 2049,20048-20049
103

MANAGED FILES

105       The  SELinux process type nfsd_t can manage files labeled with the fol‐
106       lowing file types.  The paths listed are the default  paths  for  these
107       file types.  Note the processes UID still need to have DAC permissions.
108
109       cluster_conf_t
110
111            /etc/cluster(/.*)?
112
113       cluster_var_lib_t
114
115            /var/lib/pcsd(/.*)?
116            /var/lib/cluster(/.*)?
117            /var/lib/openais(/.*)?
118            /var/lib/pengine(/.*)?
119            /var/lib/corosync(/.*)?
120            /usr/lib/heartbeat(/.*)?
121            /var/lib/heartbeat(/.*)?
122            /var/lib/pacemaker(/.*)?
123
124       cluster_var_run_t
125
126            /var/run/crm(/.*)?
127            /var/run/cman_.*
128            /var/run/rsctmp(/.*)?
129            /var/run/aisexec.*
130            /var/run/heartbeat(/.*)?
131            /var/run/pcsd-ruby.socket
132            /var/run/corosync-qnetd(/.*)?
133            /var/run/corosync-qdevice(/.*)?
134            /var/run/corosync.pid
135            /var/run/cpglockd.pid
136            /var/run/rgmanager.pid
137            /var/run/cluster/rgmanager.sk
138
139       fsadm_var_run_t
140
141            /var/run/blkid(/.*)?
142
143       glusterd_log_t
144
145            /var/log/glusterfs(/.*)?
146
147       glusterd_var_run_t
148
149            /var/run/gluster(/.*)?
150            /var/run/glusterd.*
151            /var/run/glusterd.*
152            /var/run/glusterd(/.*)?
153
154       krb5_host_rcache_t
155
156            /var/tmp/krb5_0.rcache2
157            /var/cache/krb5rcache(/.*)?
158            /var/tmp/nfs_0
159            /var/tmp/DNS_25
160            /var/tmp/host_0
161            /var/tmp/imap_0
162            /var/tmp/HTTP_23
163            /var/tmp/HTTP_48
164            /var/tmp/ldap_55
165            /var/tmp/ldap_487
166            /var/tmp/ldapmap1_0
167
168       mount_var_run_t
169
170            /run/mount(/.*)?
171            /dev/.mount(/.*)?
172            /var/run/mount(/.*)?
173            /var/run/davfs2(/.*)?
174            /var/cache/davfs2(/.*)?
175
176       nfsd_fs_t
177
178
179       nfsd_tmp_t
180
181
182       nfsd_unit_file_t
183
184            /usr/lib/systemd/system/nfs.*
185
186       root_t
187
188            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
189            /
190            /initrd
191
192       rpcd_var_run_t
193
194            /var/run/sm-notify.*
195            /var/run/rpc.statd(/.*)?
196            /var/run/rpc.statd.pid
197
198       var_lib_nfs_t
199
200            /var/lib/nfs(/.*)?
201
202       var_lib_t
203
204            /opt/(.*/)?var/lib(/.*)?
205            /var/lib(/.*)?
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy governs the access  confined  processes  have  to  these  files.
215       SELinux nfsd policy is very flexible allowing users to setup their nfsd
216       processes in as secure a method as possible.
217
218       STANDARD FILE CONTEXT
219
220       SELinux defines the file context types for the nfsd, if you  wanted  to
221       store  files  with  these types in a diffent paths, you need to execute
222       the semanage command to sepecify alternate labeling and  then  use  re‐
223       storecon to put the labels on disk.
224
225       semanage fcontext -a -t nfsd_tmp_t '/srv/mynfsd_content(/.*)?'
226       restorecon -R -v /srv/mynfsd_content
227
228       Note:  SELinux  often  uses  regular expressions to specify labels that
229       match multiple files.
230
231       The following file types are defined for nfsd:
232
233
234
235       nfsd_exec_t
236
237       - Set files with the nfsd_exec_t type, if you want to transition an ex‐
238       ecutable to the nfsd_t domain.
239
240
241       Paths:
242            /usr/lib/systemd/system-generators/nfs.*,      /usr/sbin/rpc.nfsd,
243            /usr/sbin/rpc.mountd
244
245
246       nfsd_fs_t
247
248       - Set files with the nfsd_fs_t type, if you want to treat the files  as
249       nfsd fs data.
250
251
252
253       nfsd_initrc_exec_t
254
255       - Set files with the nfsd_initrc_exec_t type, if you want to transition
256       an executable to the nfsd_initrc_t domain.
257
258
259
260       nfsd_tmp_t
261
262       - Set files with the nfsd_tmp_t type, if you want to store nfsd  tempo‐
263       rary files in the /tmp directories.
264
265
266
267       nfsd_unit_file_t
268
269       -  Set  files  with the nfsd_unit_file_t type, if you want to treat the
270       files as nfsd unit content.
271
272
273
274       Note: File context can be temporarily modified with the chcon  command.
275       If  you want to permanently change the file context you need to use the
276       semanage fcontext command.  This will modify the SELinux labeling data‐
277       base.  You will need to use restorecon to apply the labels.
278
279

SHARING FILES

281       If  you  want to share files with multiple domains (Apache, FTP, rsync,
282       Samba), you can set a file context of public_content_t and  public_con‐
283       tent_rw_t.   These  context  allow any of the above domains to read the
284       content.  If you want a particular domain to write to  the  public_con‐
285       tent_rw_t domain, you must set the appropriate boolean.
286
287       Allow  nfsd  servers to read the /var/nfsd directory by adding the pub‐
288       lic_content_t file type to the directory  and  by  restoring  the  file
289       type.
290
291       semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
292       restorecon -F -R -v /var/nfsd
293
294       Allow  nfsd  servers to read and write /var/nfsd/incoming by adding the
295       public_content_rw_t type to the directory and  by  restoring  the  file
296       type.  You also need to turn on the nfsd_anon_write boolean.
297
298       semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
299       restorecon -F -R -v /var/nfsd/incoming
300       setsebool -P nfsd_anon_write 1
301
302
303       If you want to allow nfs servers to modify public files used for public
304       file transfer services.  Files/Directories must be labeled  public_con‐
305       tent_rw_t., you must turn on the nfsd_anon_write boolean.
306
307       setsebool -P nfsd_anon_write 1
308
309

COMMANDS

311       semanage  fcontext  can also be used to manipulate default file context
312       mappings.
313
314       semanage permissive can also be used to manipulate  whether  or  not  a
315       process type is permissive.
316
317       semanage  module can also be used to enable/disable/install/remove pol‐
318       icy modules.
319
320       semanage port can also be used to manipulate the port definitions
321
322       semanage boolean can also be used to manipulate the booleans
323
324
325       system-config-selinux is a GUI tool available to customize SELinux pol‐
326       icy settings.
327
328

AUTHOR

330       This manual page was auto-generated using sepolicy manpage .
331
332

SEE ALSO

334       selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
335       setsebool(8)
336
337
338
339nfsd                               21-06-09                    nfsd_selinux(8)
Impressum