On Tue, Sep 28, 2021 at 12:42 PM Ed Greshko <ed.greshko(a)greshko.com> wrote:
On 28/09/2021 18:20, Paul Howarth wrote:
> On Tue, 28 Sep 2021 06:22:47 +0800
> Ed Greshko <ed.greshko(a)greshko.com> wrote:
>
>> On 28/09/2021 05:13, Thomas Cameron wrote:
>>> On 9/26/2021 5:57 AM, Ed Greshko wrote:
>>>> Hi,
>>>>
>>>> The configuration is a Fedora NFS server holding the home
>>>> directories of Fedora clients. So, all Fedora.
>>>>
>>>> Example: A user on the client creates a ~/.cert directory.
>>>> Looking at the directory from the server side we see.
>>>>
>>>> [djensen@f35ser ~]$ ls -Zd .cert
>>>> system_u:object_r:home_cert_t:s0 .cert
>>>>
>>>> On the client side the user sees
>>>>
>>>> [djensen@f35k ~]$ ls -Zd .cert
>>>> system_u:object_r:nfs_t:s0 .cert
>>>>
>>>> Is there a way the client side can show the actual selinux context
>>>> that is being enforced on the server side?
>>> Have you tried the instructions at
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
>>> by chance? If I recall correctly, you can force the behavior where
>>> the client sees the exact same type as the server has on the
>>> filesystem.
>> I had not found that documentation.
>>
>> That document seems a bit out of date when it comes to the latest
>> Fedora. I'm doing this on F35, but I think F34 is pretty much the
>> same in this area.
>>
>> On the server, there is no /etc/sysconfig/nfs file. If I edit a file
>> with that name and then start the nfs-server the file then becomes
>> nfs.rpmsave.
> I believe /etc/sysconfig/nfs was replaced by /etc/nfs.conf
>
>
https://fedoraproject.org/wiki/Changes/nfs.conf
Ah, yes, that now rings a bell.
The problem now maybe where to define RPCNFSDARGS? The man page for nfs.conf doesn't
list that
as an option.
On the client mount shows
f35ser:/home/djensen on /home/djensen type nfs4 (rw,relatime,vers=4.2,rsize=262144
,wsize=262144,namlen=255,soft,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=20
01:b030:112f:2::f351,local_lock=none,addr=2001:b030:112f:2::f355
For sharing SELinux labels over NFS you need to export the directory
with the "security_label" option on the server side. For example, if I
wanted to export a directory for testing purposes, I would do:
exportfs -o rw,security_label localhost:/path/to/dir
I guess in your case you probably have the export configured in
/etc/exports - in that case you need to add the "security_label"
option in that file.
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.