NFS Labels
Daniel J Walsh
dwalsh at redhat.com
Mon Jul 15 18:53:54 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/13/2013 02:15 PM, Jorge Fábregas wrote:
> Hi,
>
> In the nfsd_selinux man page it mentions:
>
> nfsd_ro_t nfsd_rw_t
>
> ...which might give you the impression that those are the labels you might
> use for your shares. I tried them and the client could mount the shares
> read-write (regardless of the label on the server). Clearly they don't work
> or perhaps I'm using them in an unintended way.
>
> After searching the mailing list I found out that, since nfs mainly runs as
> a kernel module, SELinux can't control it. Apparently that's also the
> reason the read-only and read-write booleans were removed. I'm now
> wondering:
>
> Did NFS used to run as a daemon in the past?
>
> Since NFS is practically unconfined, what are the nfsd_ro_t and rw_t
> labels for?
>
> Thanks!
>
They should be removed, they are not used and make no sense since nfs is built
into the kernel. I believe the idea years ago was to allow an admin to
specify which files could be shared via NFS read only and which could be
shared read/write.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHkRUIACgkQrlYvE4MpobNN7wCeOwpiBPC2REwRBiYkpCcNwCLm
WNkAnAxnIyk/z+8yUWuYLv7+epNgCD6f
=iH/J
-----END PGP SIGNATURE-----
More information about the selinux
mailing list