Hi, I'm trying to share an NFS mount point as Read-only using only SELinux, this is for learning purposes. I'm running Centos but I didn't find a Centos Mailing List, this one was the closest I could find. I'm on Centos 7 server 7.8.2003 I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0 and still, the NFS clients can write to the files of the Share. I played with the public_content_t type but that made no difference on the files. My share directory on NFS server: [root@localhost primary]# ls -lahZ drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .. -rw-r--r--. root root system_u:object_r:public_content_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2 -rw-r--r--. root root system_u:object_r:public_content_t:s0 file3 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4 Those with user system_u were created by NFS clients, the unconfined_u were created by root on the NFS server, still the NFS clients have write capabilities to all of them. [root@localhost primary]# getsebool -a | grep nfs_export nfs_export_all_ro --> on nfs_export_all_rw --> off [root@localhost primary]# getenforce Enforcing Any ideas? Thanks, _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
