Hi,
Seems like my output is different than yours:
[root@localhost ~]# getsebool nfsd_anon_write
nfsd_anon_write --> off
[root@localhost ~]# sesearch -A -s nfsd_t -t public_content_t -c file
Found 3 semantic av rules:
allow nfsd_t public_content_t : file { ioctl read getattr lock open } ;
allow nfsd_t non_security_file_type : file { ioctl read getattr lock
open } ;
allow domain file_type : file map ;
[root@localhost ~]# sesearch -A -s nfsd_t -t public_content_t -c file -p
write
[root@localhost ~]# sesearch -A -s nfsd_t -t public_content_rw_t -c file -p
write
Found 1 semantic av rules:
allow nfsd_t public_content_rw_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
Besides setting the booleans on the appropriate on/off state, what else is
needed to disable R/W permission on NFS shares via SELinux?
On Wed, Dec 9, 2020 at 4:17 AM Zdenek Pytela <zpytela(a)redhat.com> wrote:
On Tue, Dec 8, 2020 at 5:04 PM Felipe Polanco <felipeapolanco(a)gmail.com>
wrote:
> Hi,
>
> I'm trying to share an NFS mount point as Read-only using only
> SELinux, this is for learning purposes.
>
> I'm running Centos but I didn't find a Centos Mailing List, this one
> was the closest I could find.
>
Hi,
The behaviour should be basically the same for all distros using Fedora
based policy.
> I'm on Centos 7 server 7.8.2003
>
> I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0
> and still, the NFS clients can write to the files of the Share.
>
> I played with the public_content_t type but that made no difference on
> the files.
>
Do you mean you tried different types, e. g. public_content_rw_t?
> My share directory on NFS server:
>
> [root@localhost primary]# ls -lahZ
> drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .
> drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 ..
> -rw-r--r--. root root system_u:object_r:public_content_t:s0 file1
> -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2
> -rw-r--r--. root root system_u:object_r:public_content_t:s0 file3
> -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4
>
> Those with user system_u were created by NFS clients, the unconfined_u
> were created by root on the NFS server, still the NFS clients have
> write capabilities to all of them.
>
>
> [root@localhost primary]# getsebool -a | grep nfs_export
> nfs_export_all_ro --> on
> nfs_export_all_rw --> off
>
> [root@localhost primary]# getenforce
> Enforcing
>
> Any ideas?
>
Please install setools-console and run and compare with this output:
# getsebool nfsd_anon_write
nfsd_anon_write --> off
# sesearch -A -s nfsd_t -t public_content_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow nfsd_t non_security_file_type:file { getattr ioctl lock open read };
[ nfs_export_all_ro ]:True
allow nfsd_t public_content_t:file { getattr ioctl lock map open read };
# sesearch -A -s nfsd_t -t public_content_t -c file -p write
# sesearch -A -s nfsd_t -t public_content_rw_t -c file -p write
allow nfsd_t public_content_rw_t:file { append create link rename setattr
unlink write }; [ nfsd_anon_write ]:True
> Thanks,
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
--
Zdenek Pytela
SELinux team