Hi,
I'm trying to share an NFS mount point as Read-only using only
SELinux, this is for learning purposes.
I'm running Centos but I didn't find a Centos Mailing List, this one
was the closest I could find.
I'm on Centos 7 server 7.8.2003
I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0
and still, the NFS clients can write to the files of the Share.
I played with the public_content_t type but that made no difference on
the files.
My share directory on NFS server:
[root@localhost primary]# ls -lahZ
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 ..
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file3
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4
Those with user system_u were created by NFS clients, the unconfined_u
were created by root on the NFS server, still the NFS clients have
write capabilities to all of them.
[root@localhost primary]# getsebool -a | grep nfs_export
nfs_export_all_ro --> on
nfs_export_all_rw --> off
[root@localhost primary]# getenforce
Enforcing
Any ideas?
Thanks,