Make NFS Work with SELinux
Of course, appropriate firewalls are not enough. SELinux is an integral part of thesecurity landscape, with respect to both boolean options and files. First, there aretwo file types associated with NFS:
var_lib_nfs_tAssociated with dynamic files in the /var/lib/nfs directory.Files in this directory are updated as shares are mounted, as files from shareddirectories are called and locked.nfsd_exec_tAssigned to system executable files such as rpc.mountd andrpc.nfsd in the /usr/sbin directory. Closely related are the rpcd_exec_t andgssd_exec_t file types, for services associated with RPCs and communicationswith Kerberos servers.
✩n general, you won’t have to assign a new file type to a shared NFS directory.So for most administrators, these file types are shown for reference.
The figure reflects the default configuration; in otherwords, the global modules are all enabled by default.The following directives are associated with making NFS work with SELinux intargeted mode.
| selinux选项 | 作用 |
|---|---|
| allow_gssd_read_tmp | Supports the reading of temporary directories by the General Security Services daemon, gssd, which helps protect NFS whensystems authenticate through Kerberos 5. |
| httpd_use_nfs | Supports access by the Apache Web server to shared NFSdirectories. |
| cd_record_read_content | Enables access to mounted NFS directories by thecdrecord command. |
| allow_ftpd_use_nfs | Allows the use of shared NFS directories by FTPservers. |
| git_system_use_nfs | Supports access of NFS shares by the git revisioncontrol system service. |
| nfs_export_all_ro | Supports read-only access to shared NFS directories. |
| nfs_export_all_rw | Supports read/write access to shared NFS directories. |
| use_nfs_home_dirs | Enables the mounting of /home on a remote NFSserver. |
| qemu_use_nfs | Allows access by the quick emulator to NFS-mountedfilesystems. |
| allow_nfsd_anon_write | Supports NFS servers when they modify files onpublic file transfer services. |
| samba_share_nfs | Allows Samba to export NFS-mounted directories. |
| virt_use_nfs | Enables access by VMs to NFS-mounted filesystems. |
| xen_use_nfs | Allows access by the Xen virtual machine monitor to NFSmounted filesystems. |
To set these directives, use the setsebool command. For example, to activate accessby an FTP server, in a way that survives a reboot, run the following command:
# setsebool -P allow_ftpd_use_nfs 1