On Tue, Dec 8, 2020 at 5:04 PM Felipe Polanco <felipeapolanco@xxxxxxxxx> wrote:
Hi,
I'm trying to share an NFS mount point as Read-only using only
SELinux, this is for learning purposes.
I'm running Centos but I didn't find a Centos Mailing List, this one
was the closest I could find.
Hi,
The behaviour should be basically the same for all distros using Fedora based policy.
I'm on Centos 7 server 7.8.2003
I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0
and still, the NFS clients can write to the files of the Share.
I played with the public_content_t type but that made no difference on
the files.
Do you mean you tried different types, e. g. public_content_rw_t?
My share directory on NFS server:
[root@localhost primary]# ls -lahZ
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 ..
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file3
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4
Those with user system_u were created by NFS clients, the unconfined_u
were created by root on the NFS server, still the NFS clients have
write capabilities to all of them.
[root@localhost primary]# getsebool -a | grep nfs_export
nfs_export_all_ro --> on
nfs_export_all_rw --> off
[root@localhost primary]# getenforce
Enforcing
Any ideas?
Please install setools-console and run and compare with this output:
nfsd_anon_write --> off
# sesearch -A -s nfsd_t -t public_content_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow nfsd_t non_security_file_type:file { getattr ioctl lock open read }; [ nfs_export_all_ro ]:True
allow nfsd_t public_content_t:file { getattr ioctl lock map open read };
# sesearch -A -s nfsd_t -t public_content_t -c file -p write
# sesearch -A -s nfsd_t -t public_content_rw_t -c file -p write
allow nfsd_t public_content_rw_t:file { append create link rename setattr unlink write }; [ nfsd_anon_write ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow nfsd_t non_security_file_type:file { getattr ioctl lock open read }; [ nfs_export_all_ro ]:True
allow nfsd_t public_content_t:file { getattr ioctl lock map open read };
# sesearch -A -s nfsd_t -t public_content_t -c file -p write
# sesearch -A -s nfsd_t -t public_content_rw_t -c file -p write
allow nfsd_t public_content_rw_t:file { append create link rename setattr unlink write }; [ nfsd_anon_write ]:True
Thanks,
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Zdenek Pytela
SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
