1nfsd_selinux(8) SELinux Policy nfsd nfsd_selinux(8)
2
3
4
6 nfsd_selinux - Security Enhanced Linux Policy for the nfsd processes
7
9 Security-Enhanced Linux secures the nfsd processes via flexible manda‐
10 tory access control.
11
12 The nfsd processes execute with the nfsd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep nfsd_t
19
20
21
23 The nfsd_t SELinux type can be entered via the nfsd_exec_t file type.
24
25 The default entrypoint paths for the nfsd_t domain are the following:
26
27 /usr/lib/systemd/system-generators/nfs.*, /usr/sbin/rpc.nfsd,
28 /usr/sbin/rpc.mountd
29
31 SELinux defines process types (domains) for each process running on the
32 system
33
34 You can see the context of a process using the -Z option to ps
35
36 Policy governs the access confined processes have to files. SELinux
37 nfsd policy is very flexible allowing users to setup their nfsd pro‐
38 cesses in as secure a method as possible.
39
40 The following process types are defined for nfsd:
41
42 nfsd_t
43
44 Note: semanage permissive -a nfsd_t can be used to make the process
45 type nfsd_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
49
51 SELinux policy is customizable based on least access required. nfsd
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run nfsd with the tightest access possible.
54
55
56
57 If you want to allow any files/directories to be exported read/only via
58 NFS, you must turn on the nfs_export_all_ro boolean. Enabled by de‐
59 fault.
60
61 setsebool -P nfs_export_all_ro 1
62
63
64
65 If you want to allow any files/directories to be exported read/write
66 via NFS, you must turn on the nfs_export_all_rw boolean. Enabled by de‐
67 fault.
68
69 setsebool -P nfs_export_all_rw 1
70
71
72
73 If you want to dontaudit all daemons scheduling requests (setsched,
74 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
75 Enabled by default.
76
77 setsebool -P daemons_dontaudit_scheduling 1
78
79
80
81 If you want to allow all domains to execute in fips_mode, you must turn
82 on the fips_mode boolean. Enabled by default.
83
84 setsebool -P fips_mode 1
85
86
87
88 If you want to allow system to run with NIS, you must turn on the
89 nis_enabled boolean. Disabled by default.
90
91 setsebool -P nis_enabled 1
92
93
94
96 SELinux defines port types to represent TCP and UDP ports.
97
98 You can see the types associated with a port by using the following
99 command:
100
101 semanage port -l
102
103
104 Policy governs the access confined processes have to these ports.
105 SELinux nfsd policy is very flexible allowing users to setup their nfsd
106 processes in as secure a method as possible.
107
108 The following port types are defined for nfsd:
109
110
111 nfs_port_t
112
113
114
115 Default Defined Ports:
116 tcp 2049,20048-20049
117 udp 2049,20048-20049
118
120 The SELinux process type nfsd_t can manage files labeled with the fol‐
121 lowing file types. The paths listed are the default paths for these
122 file types. Note the processes UID still need to have DAC permissions.
123
124 cluster_conf_t
125
126 /etc/cluster(/.*)?
127
128 cluster_var_lib_t
129
130 /var/lib/pcsd(/.*)?
131 /var/lib/cluster(/.*)?
132 /var/lib/openais(/.*)?
133 /var/lib/pengine(/.*)?
134 /var/lib/corosync(/.*)?
135 /usr/lib/heartbeat(/.*)?
136 /var/lib/heartbeat(/.*)?
137 /var/lib/pacemaker(/.*)?
138
139 cluster_var_run_t
140
141 /var/run/crm(/.*)?
142 /var/run/cman_.*
143 /var/run/rsctmp(/.*)?
144 /var/run/aisexec.*
145 /var/run/heartbeat(/.*)?
146 /var/run/pcsd-ruby.socket
147 /var/run/corosync-qnetd(/.*)?
148 /var/run/corosync-qdevice(/.*)?
149 /var/run/corosync.pid
150 /var/run/cpglockd.pid
151 /var/run/rgmanager.pid
152 /var/run/cluster/rgmanager.sk
153
154 fsadm_var_run_t
155
156 /var/run/fsck(/.*)?
157 /var/run/blkid(/.*)?
158
159 glusterd_log_t
160
161 /var/log/glusterfs(/.*)?
162
163 glusterd_var_run_t
164
165 /var/run/gluster(/.*)?
166 /var/run/glusterd.*
167 /var/run/glusterd.*
168 /var/run/glusterd(/.*)?
169
170 krb5_host_rcache_t
171
172 /var/tmp/krb5_0.rcache2
173 /var/cache/krb5rcache(/.*)?
174 /var/tmp/nfs_0
175 /var/tmp/DNS_25
176 /var/tmp/host_0
177 /var/tmp/imap_0
178 /var/tmp/HTTP_23
179 /var/tmp/HTTP_48
180 /var/tmp/ldap_55
181 /var/tmp/ldap_487
182 /var/tmp/ldapmap1_0
183
184 mount_var_run_t
185
186 /run/mount(/.*)?
187 /dev/.mount(/.*)?
188 /var/run/mount(/.*)?
189 /var/run/davfs2(/.*)?
190 /var/cache/davfs2(/.*)?
191
192 nfsd_fs_t
193
194
195 nfsd_tmp_t
196
197
198 nfsd_unit_file_t
199
200 /usr/lib/systemd/system/nfs.*
201
202 root_t
203
204 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
205 /
206 /initrd
207
208 rpcd_var_run_t
209
210 /var/run/sm-notify.*
211 /var/run/rpc.statd(/.*)?
212 /var/run/rpc.statd.pid
213
214 var_lib_nfs_t
215
216 /var/lib/nfs(/.*)?
217
218 var_lib_t
219
220 /opt/(.*/)?var/lib(/.*)?
221 /var/lib(/.*)?
222
223
225 SELinux requires files to have an extended attribute to define the file
226 type.
227
228 You can see the context of a file using the -Z option to ls
229
230 Policy governs the access confined processes have to these files.
231 SELinux nfsd policy is very flexible allowing users to setup their nfsd
232 processes in as secure a method as possible.
233
234 STANDARD FILE CONTEXT
235
236 SELinux defines the file context types for the nfsd, if you wanted to
237 store files with these types in a different paths, you need to execute
238 the semanage command to specify alternate labeling and then use re‐
239 storecon to put the labels on disk.
240
241 semanage fcontext -a -t nfsd_fs_t '/srv/nfsd/content(/.*)?'
242 restorecon -R -v /srv/mynfsd_content
243
244 Note: SELinux often uses regular expressions to specify labels that
245 match multiple files.
246
247 The following file types are defined for nfsd:
248
249
250
251 nfsd_exec_t
252
253 - Set files with the nfsd_exec_t type, if you want to transition an ex‐
254 ecutable to the nfsd_t domain.
255
256
257 Paths:
258 /usr/lib/systemd/system-generators/nfs.*, /usr/sbin/rpc.nfsd,
259 /usr/sbin/rpc.mountd
260
261
262 nfsd_fs_t
263
264 - Set files with the nfsd_fs_t type, if you want to treat the files as
265 nfsd fs data.
266
267
268
269 nfsd_initrc_exec_t
270
271 - Set files with the nfsd_initrc_exec_t type, if you want to transition
272 an executable to the nfsd_initrc_t domain.
273
274
275
276 nfsd_tmp_t
277
278 - Set files with the nfsd_tmp_t type, if you want to store nfsd tempo‐
279 rary files in the /tmp directories.
280
281
282
283 nfsd_unit_file_t
284
285 - Set files with the nfsd_unit_file_t type, if you want to treat the
286 files as nfsd unit content.
287
288
289
290 Note: File context can be temporarily modified with the chcon command.
291 If you want to permanently change the file context you need to use the
292 semanage fcontext command. This will modify the SELinux labeling data‐
293 base. You will need to use restorecon to apply the labels.
294
295
297 If you want to share files with multiple domains (Apache, FTP, rsync,
298 Samba), you can set a file context of public_content_t and public_con‐
299 tent_rw_t. These context allow any of the above domains to read the
300 content. If you want a particular domain to write to the public_con‐
301 tent_rw_t domain, you must set the appropriate boolean.
302
303 Allow nfsd servers to read the /var/nfsd directory by adding the pub‐
304 lic_content_t file type to the directory and by restoring the file
305 type.
306
307 semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
308 restorecon -F -R -v /var/nfsd
309
310 Allow nfsd servers to read and write /var/nfsd/incoming by adding the
311 public_content_rw_t type to the directory and by restoring the file
312 type. You also need to turn on the nfsd_anon_write boolean.
313
314 semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
315 restorecon -F -R -v /var/nfsd/incoming
316 setsebool -P nfsd_anon_write 1
317
318
319 If you want to allow nfs servers to modify public files used for public
320 file transfer services. Files/Directories must be labeled public_con‐
321 tent_rw_t., you must turn on the nfsd_anon_write boolean.
322
323 setsebool -P nfsd_anon_write 1
324
325
327 semanage fcontext can also be used to manipulate default file context
328 mappings.
329
330 semanage permissive can also be used to manipulate whether or not a
331 process type is permissive.
332
333 semanage module can also be used to enable/disable/install/remove pol‐
334 icy modules.
335
336 semanage port can also be used to manipulate the port definitions
337
338 semanage boolean can also be used to manipulate the booleans
339
340
341 system-config-selinux is a GUI tool available to customize SELinux pol‐
342 icy settings.
343
344
346 This manual page was auto-generated using sepolicy manpage .
347
348
350 selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
351 setsebool(8)
352
353
354
355nfsd 23-12-15 nfsd_selinux(8)