Re: Assistance with SELinux and NFS Read-Only

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Tue, Dec 8, 2020 at 5:04 PM Felipe Polanco <felipeapolanco@xxxxxxxxx> wrote:
Hi,

I'm trying to share an NFS mount point as Read-only using only
SELinux, this is for learning purposes.

I'm running Centos but I didn't find a Centos Mailing List, this one
was the closest I could find.
Hi,

The behaviour should be basically the same for all distros using Fedora based policy.


I'm on Centos 7 server 7.8.2003

I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0
and still, the NFS clients can write to the files of the Share.

I played with the public_content_t type but that made no difference on
the files.
Do you mean you tried different types, e. g. public_content_rw_t?


My share directory on NFS server:

[root@localhost primary]# ls -lahZ
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   .
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   ..
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file3
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4

Those with user system_u were created by NFS clients, the unconfined_u
were created by root on the NFS server, still the NFS clients have
write capabilities to all of them.


[root@localhost primary]# getsebool -a | grep nfs_export
nfs_export_all_ro --> on
nfs_export_all_rw --> off

[root@localhost primary]# getenforce
Enforcing

Any ideas?
Please install setools-console and run and compare with this output:

# getsebool nfsd_anon_write
nfsd_anon_write --> off
# sesearch -A -s nfsd_t -t public_content_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow nfsd_t non_security_file_type:file { getattr ioctl lock open read }; [ nfs_export_all_ro ]:True
allow nfsd_t public_content_t:file { getattr ioctl lock map open read };
# sesearch -A -s nfsd_t -t public_content_t -c file -p write
# sesearch -A -s nfsd_t -t public_content_rw_t -c file -p write
allow nfsd_t public_content_rw_t:file { append create link rename setattr unlink write }; [ nfsd_anon_write ]:True


Thanks,
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx


--

Zdenek Pytela
SELinux team
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux