Assistance with SELinux and NFS Read-Only
by Felipe Polanco
Hi,
I'm trying to share an NFS mount point as Read-only using only
SELinux, this is for learning purposes.
I'm running Centos but I didn't find a Centos Mailing List, this one
was the closest I could find.
I'm on Centos 7 server 7.8.2003
I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0
and still, the NFS clients can write to the files of the Share.
I played with the public_content_t type but that made no difference on
the files.
My share directory on NFS server:
[root@localhost primary]# ls -lahZ
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 ..
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file3
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4
Those with user system_u were created by NFS clients, the unconfined_u
were created by root on the NFS server, still the NFS clients have
write capabilities to all of them.
[root@localhost primary]# getsebool -a | grep nfs_export
nfs_export_all_ro --> on
nfs_export_all_rw --> off
[root@localhost primary]# getenforce
Enforcing
Any ideas?
Thanks,
2 years, 9 months
- 2
- 2
How is policy.31 created from modules under /usr/share/selinux
by Ashish Mishra
Hi All ,
Good Morning .
I am following the SELINUX NOTEBOOK & trying the same at my end .
- The refpolicy modules are copied at /usr/share/selinux/refpolicy
i can see around 400+ modules there .
But can senior member' s please help me understand how is the
/etc/selinux/refpolicy/policy/policy.31 created using the modules
available at
/usr/share/selinux
The command i followed :
$ make install-src
$ make conf
$ make load ( tried even $ make install )
$ make install-headers
- This can help me to debug an issue where i am trying to get selinux
of my custom
distro where all the make command are successfully executed but the policy.31
is not getting created
- I can even see the "include" folder also getting created for make
install-headers
Any pointers will be helpful or please let me know if i am missing any
aspect here .
Thanks ,
Ashish.
2 years, 10 months
- 1
- 0
- ← Newer
- 1
- Older →