On Tue, Sep 28, 2021 at 12:42 PM Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote: > On 28/09/2021 18:20, Paul Howarth wrote: > > On Tue, 28 Sep 2021 06:22:47 +0800 > > Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote: > > > >> On 28/09/2021 05:13, Thomas Cameron wrote: > >>> On 9/26/2021 5:57 AM, Ed Greshko wrote: > >>>> Hi, > >>>> > >>>> The configuration is a Fedora NFS server holding the home > >>>> directories of Fedora clients. So, all Fedora. > >>>> > >>>> Example: A user on the client creates a ~/.cert directory. > >>>> Looking at the directory from the server side we see. > >>>> > >>>> [djensen@f35ser ~]$ ls -Zd .cert > >>>> system_u:object_r:home_cert_t:s0 .cert > >>>> > >>>> On the client side the user sees > >>>> > >>>> [djensen@f35k ~]$ ls -Zd .cert > >>>> system_u:object_r:nfs_t:s0 .cert > >>>> > >>>> Is there a way the client side can show the actual selinux context > >>>> that is being enforced on the server side? > >>> Have you tried the instructions at > >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-nfs-configuration_examples, > >>> by chance? If I recall correctly, you can force the behavior where > >>> the client sees the exact same type as the server has on the > >>> filesystem. > >> I had not found that documentation. > >> > >> That document seems a bit out of date when it comes to the latest > >> Fedora. I'm doing this on F35, but I think F34 is pretty much the > >> same in this area. > >> > >> On the server, there is no /etc/sysconfig/nfs file. If I edit a file > >> with that name and then start the nfs-server the file then becomes > >> nfs.rpmsave. > > I believe /etc/sysconfig/nfs was replaced by /etc/nfs.conf > > > > https://fedoraproject.org/wiki/Changes/nfs.conf > > Ah, yes, that now rings a bell. > > The problem now maybe where to define RPCNFSDARGS? The man page for nfs.conf doesn't list that > as an option. > > On the client mount shows > > f35ser:/home/djensen on /home/djensen type nfs4 (rw,relatime,vers=4.2,rsize=262144 > ,wsize=262144,namlen=255,soft,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=20 > 01:b030:112f:2::f351,local_lock=none,addr=2001:b030:112f:2::f355 For sharing SELinux labels over NFS you need to export the directory with the "security_label" option on the server side. For example, if I wanted to export a directory for testing purposes, I would do: exportfs -o rw,security_label localhost:/path/to/dir I guess in your case you probably have the export configured in /etc/exports - in that case you need to add the "security_label" option in that file. -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
