On 9/26/2021 5:57 AM, Ed Greshko wrote:
Hi,
The configuration is a Fedora NFS server holding the home directories
of Fedora clients. So, all Fedora.
Example: A user on the client creates a ~/.cert directory. Looking at
the directory from the server side we see.
[djensen@f35ser ~]$ ls -Zd .cert
system_u:object_r:home_cert_t:s0 .cert
On the client side the user sees
[djensen@f35k ~]$ ls -Zd .cert
system_u:object_r:nfs_t:s0 .cert
Is there a way the client side can show the actual selinux context
that is being enforced on
the server side?
Have you tried the instructions at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-nfs-configuration_examples,
by chance? If I recall correctly, you can force the behavior where the
client sees the exact same type as the server has on the filesystem.
I'm pretty sure the behavior you're describing is correct and desired.
From the client, the .cert directory is dealt with in the context of it
being type nfs_t. You won't see the extended attributes stored on the
server filesystem, instead you're using labeled NFS (see e.g.
https://fedoraproject.org/wiki/Changes/LabeledNFS). SELinux will apply
policy against it based on that context. On the server side, the .cert
directory is labeled home_cert_t because that's what the label on the
server is, and that's the type stored in extended attributes on the
filesystem.
I'm dusting off a lot of cobwebs for this, so I could be wrong.
Thomas
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
