5:57 a.m.
Hi,
The configuration is a Fedora NFS server holding the home directories of Fedora clients.
So, all Fedora.
Example: A user on the client creates a ~/.cert directory. Looking at the directory from
the server side we see.
[djensen@f35ser ~]$ ls -Zd .cert
system_u:object_r:home_cert_t:s0 .cert
On the client side the user sees
[djensen@f35k ~]$ ls -Zd .cert
system_u:object_r:nfs_t:s0 .cert
Is there a way the client side can show the actual selinux context that is being enforced
on
the server side?
--
Nothing to see here
4:13 p.m.
On 9/26/2021 5:57 AM, Ed Greshko wrote:
Hi,
The configuration is a Fedora NFS server holding the home directories
of Fedora clients. So, all Fedora.
Example: A user on the client creates a ~/.cert directory. Looking at
the directory from the server side we see.
[djensen@f35ser ~]$ ls -Zd .cert
system_u:object_r:home_cert_t:s0 .cert
On the client side the user sees
[djensen@f35k ~]$ ls -Zd .cert
system_u:object_r:nfs_t:s0 .cert
Is there a way the client side can show the actual selinux context
that is being enforced on
the server side?
Have you tried the instructions at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
by chance? If I recall correctly, you can force the behavior where the
client sees the exact same type as the server has on the filesystem.
I'm pretty sure the behavior you're describing is correct and desired.
From the client, the .cert directory is dealt with in the context of it
being type nfs_t. You won't see the extended attributes stored on the
server filesystem, instead you're using labeled NFS (see e.g.
https://fedoraproject.org/wiki/Changes/LabeledNFS). SELinux will apply
policy against it based on that context. On the server side, the .cert
directory is labeled home_cert_t because that's what the label on the
server is, and that's the type stored in extended attributes on the
filesystem.
I'm dusting off a lot of cobwebs for this, so I could be wrong.
Thomas
5:22 p.m.
On 28/09/2021 05:13, Thomas Cameron wrote:
On 9/26/2021 5:57 AM, Ed Greshko wrote:
> Hi,
>
> The configuration is a Fedora NFS server holding the home directories of Fedora
clients. So, all Fedora.
>
> Example: A user on the client creates a ~/.cert directory. Looking at the directory
from the server side we see.
>
> [djensen@f35ser ~]$ ls -Zd .cert
> system_u:object_r:home_cert_t:s0 .cert
>
> On the client side the user sees
>
> [djensen@f35k ~]$ ls -Zd .cert
> system_u:object_r:nfs_t:s0 .cert
>
> Is there a way the client side can show the actual selinux context that is being
enforced on
> the server side?
Have you tried the instructions at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
by chance? If I recall correctly, you can force the behavior where the client sees the
exact same type as the server has on the filesystem.
I had not found that documentation.
That document seems a bit out of date when it comes to the latest Fedora. I'm doing
this on F35, but I think F34 is
pretty much the same in this area.
On the server, there is no /etc/sysconfig/nfs file. If I edit a file with that name and
then start the nfs-server the file
then becomes nfs.rpmsave.
In looking at rpc service files I see that rpcbind.service has an
EnvironmentFile=/etc/sysconfig/rpcbind.
tried adding such....
[egreshko@f35ser system]$ cat /etc/sysconfig/rpcbind
#
# Optional arguments passed to rpcbind. See rpcbind(8)
RPCBIND_ARGS="-V 4.2"
RPCNFSDARGS="-V 4.2"
But no luck.
Ideas?
--
Nothing to see here
5:20 a.m.
On Tue, 28 Sep 2021 06:22:47 +0800
Ed Greshko <ed.greshko(a)greshko.com> wrote:
On 28/09/2021 05:13, Thomas Cameron wrote:
> On 9/26/2021 5:57 AM, Ed Greshko wrote:
>> Hi,
>>
>> The configuration is a Fedora NFS server holding the home
>> directories of Fedora clients. So, all Fedora.
>>
>> Example: A user on the client creates a ~/.cert directory.
>> Looking at the directory from the server side we see.
>>
>> [djensen@f35ser ~]$ ls -Zd .cert
>> system_u:object_r:home_cert_t:s0 .cert
>>
>> On the client side the user sees
>>
>> [djensen@f35k ~]$ ls -Zd .cert
>> system_u:object_r:nfs_t:s0 .cert
>>
>> Is there a way the client side can show the actual selinux context
>> that is being enforced on the server side?
>
> Have you tried the instructions at
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
> by chance? If I recall correctly, you can force the behavior where
> the client sees the exact same type as the server has on the
> filesystem.
I had not found that documentation.
That document seems a bit out of date when it comes to the latest
Fedora. I'm doing this on F35, but I think F34 is pretty much the
same in this area.
On the server, there is no /etc/sysconfig/nfs file. If I edit a file
with that name and then start the nfs-server the file then becomes
nfs.rpmsave.
I believe /etc/sysconfig/nfs was replaced by /etc/nfs.conf
https://fedoraproject.org/wiki/Changes/nfs.conf
Paul.
5:42 a.m.
On 28/09/2021 18:20, Paul Howarth wrote:
On Tue, 28 Sep 2021 06:22:47 +0800
Ed Greshko <ed.greshko(a)greshko.com> wrote:
> On 28/09/2021 05:13, Thomas Cameron wrote:
>> On 9/26/2021 5:57 AM, Ed Greshko wrote:
>>> Hi,
>>>
>>> The configuration is a Fedora NFS server holding the home
>>> directories of Fedora clients. So, all Fedora.
>>>
>>> Example: A user on the client creates a ~/.cert directory.
>>> Looking at the directory from the server side we see.
>>>
>>> [djensen@f35ser ~]$ ls -Zd .cert
>>> system_u:object_r:home_cert_t:s0 .cert
>>>
>>> On the client side the user sees
>>>
>>> [djensen@f35k ~]$ ls -Zd .cert
>>> system_u:object_r:nfs_t:s0 .cert
>>>
>>> Is there a way the client side can show the actual selinux context
>>> that is being enforced on the server side?
>> Have you tried the instructions at
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
>> by chance? If I recall correctly, you can force the behavior where
>> the client sees the exact same type as the server has on the
>> filesystem.
> I had not found that documentation.
>
> That document seems a bit out of date when it comes to the latest
> Fedora. I'm doing this on F35, but I think F34 is pretty much the
> same in this area.
>
> On the server, there is no /etc/sysconfig/nfs file. If I edit a file
> with that name and then start the nfs-server the file then becomes
> nfs.rpmsave.
I believe /etc/sysconfig/nfs was replaced by /etc/nfs.conf
https://fedoraproject.org/wiki/Changes/nfs.conf
Ah, yes, that now rings a bell.
The problem now maybe where to define RPCNFSDARGS? The man page for nfs.conf doesn't
list that
as an option.
On the client mount shows
f35ser:/home/djensen on /home/djensen type nfs4 (rw,relatime,vers=4.2,rsize=262144
,wsize=262144,namlen=255,soft,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=20
01:b030:112f:2::f351,local_lock=none,addr=2001:b030:112f:2::f355
--
Nothing to see here
6:53 a.m.
On Tue, Sep 28, 2021 at 12:42 PM Ed Greshko <ed.greshko(a)greshko.com> wrote:
On 28/09/2021 18:20, Paul Howarth wrote:
> On Tue, 28 Sep 2021 06:22:47 +0800
> Ed Greshko <ed.greshko(a)greshko.com> wrote:
>
>> On 28/09/2021 05:13, Thomas Cameron wrote:
>>> On 9/26/2021 5:57 AM, Ed Greshko wrote:
>>>> Hi,
>>>>
>>>> The configuration is a Fedora NFS server holding the home
>>>> directories of Fedora clients. So, all Fedora.
>>>>
>>>> Example: A user on the client creates a ~/.cert directory.
>>>> Looking at the directory from the server side we see.
>>>>
>>>> [djensen@f35ser ~]$ ls -Zd .cert
>>>> system_u:object_r:home_cert_t:s0 .cert
>>>>
>>>> On the client side the user sees
>>>>
>>>> [djensen@f35k ~]$ ls -Zd .cert
>>>> system_u:object_r:nfs_t:s0 .cert
>>>>
>>>> Is there a way the client side can show the actual selinux context
>>>> that is being enforced on the server side?
>>> Have you tried the instructions at
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
>>> by chance? If I recall correctly, you can force the behavior where
>>> the client sees the exact same type as the server has on the
>>> filesystem.
>> I had not found that documentation.
>>
>> That document seems a bit out of date when it comes to the latest
>> Fedora. I'm doing this on F35, but I think F34 is pretty much the
>> same in this area.
>>
>> On the server, there is no /etc/sysconfig/nfs file. If I edit a file
>> with that name and then start the nfs-server the file then becomes
>> nfs.rpmsave.
> I believe /etc/sysconfig/nfs was replaced by /etc/nfs.conf
>
> https://fedoraproject.org/wiki/Changes/nfs.conf
Ah, yes, that now rings a bell.
The problem now maybe where to define RPCNFSDARGS? The man page for nfs.conf doesn't
list that
as an option.
On the client mount shows
f35ser:/home/djensen on /home/djensen type nfs4 (rw,relatime,vers=4.2,rsize=262144
,wsize=262144,namlen=255,soft,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=20
01:b030:112f:2::f351,local_lock=none,addr=2001:b030:112f:2::f355
For sharing SELinux labels over NFS you need to export the directory
with the "security_label" option on the server side. For example, if I
wanted to export a directory for testing purposes, I would do:
exportfs -o rw,security_label localhost:/path/to/dir
I guess in your case you probably have the export configured in
/etc/exports - in that case you need to add the "security_label"
option in that file.
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
8:04 a.m.
On 28/09/2021 19:53, Ondrej Mosnacek wrote:
For sharing SELinux labels over NFS you need to export the directory
with the "security_label" option on the server side. For example, if I
wanted to export a directory for testing purposes, I would do:
exportfs -o rw,security_label localhost:/path/to/dir
I guess in your case you probably have the export configured in
/etc/exports - in that case you need to add the "security_label"
option in that file.
That was it. Thanks much.
And with that bit of knowledge I found that had I read "man 5 exports" I may
have
found it on my own.
934
days inactive
936
days old
selinux@lists.fedoraproject.org
6 comments
4 participants
participants (4)
-
Ed Greshko -
Ondrej Mosnacek -
Paul Howarth -
Thomas Cameron