Hi,
I'm trying to share an NFS mount point as Read-only using only SELinux, this is for learning purposes.
I'm running Centos but I didn't find a Centos Mailing List, this one was the closest I could find.
I'm on Centos 7 server 7.8.2003
I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0 and still, the NFS clients can write to the files of the Share.
I played with the public_content_t type but that made no difference on the files.
My share directory on NFS server:
[root@localhost primary]# ls -lahZ drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .. -rw-r--r--. root root system_u:object_r:public_content_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2 -rw-r--r--. root root system_u:object_r:public_content_t:s0 file3 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4
Those with user system_u were created by NFS clients, the unconfined_u were created by root on the NFS server, still the NFS clients have write capabilities to all of them.
[root@localhost primary]# getsebool -a | grep nfs_export nfs_export_all_ro --> on nfs_export_all_rw --> off
[root@localhost primary]# getenforce Enforcing
Any ideas?
Thanks,
On Tue, Dec 8, 2020 at 5:04 PM Felipe Polanco felipeapolanco@gmail.com wrote:
Hi,
I'm trying to share an NFS mount point as Read-only using only SELinux, this is for learning purposes.
I'm running Centos but I didn't find a Centos Mailing List, this one was the closest I could find.
Hi,
The behaviour should be basically the same for all distros using Fedora based policy.
I'm on Centos 7 server 7.8.2003
I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0 and still, the NFS clients can write to the files of the Share.
I played with the public_content_t type but that made no difference on the files.
Do you mean you tried different types, e. g. public_content_rw_t?
My share directory on NFS server:
[root@localhost primary]# ls -lahZ drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .. -rw-r--r--. root root system_u:object_r:public_content_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2 -rw-r--r--. root root system_u:object_r:public_content_t:s0 file3 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4
Those with user system_u were created by NFS clients, the unconfined_u were created by root on the NFS server, still the NFS clients have write capabilities to all of them.
[root@localhost primary]# getsebool -a | grep nfs_export nfs_export_all_ro --> on nfs_export_all_rw --> off
[root@localhost primary]# getenforce Enforcing
Any ideas?
Please install setools-console and run and compare with this output:
# getsebool nfsd_anon_write nfsd_anon_write --> off # sesearch -A -s nfsd_t -t public_content_t -c file allow domain file_type:file map; [ domain_can_mmap_files ]:True allow nfsd_t non_security_file_type:file { getattr ioctl lock open read }; [ nfs_export_all_ro ]:True allow nfsd_t public_content_t:file { getattr ioctl lock map open read }; # sesearch -A -s nfsd_t -t public_content_t -c file -p write # sesearch -A -s nfsd_t -t public_content_rw_t -c file -p write allow nfsd_t public_content_rw_t:file { append create link rename setattr unlink write }; [ nfsd_anon_write ]:True
Thanks, _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Hi,
Seems like my output is different than yours:
[root@localhost ~]# getsebool nfsd_anon_write nfsd_anon_write --> off [root@localhost ~]# sesearch -A -s nfsd_t -t public_content_t -c file Found 3 semantic av rules: allow nfsd_t public_content_t : file { ioctl read getattr lock open } ; allow nfsd_t non_security_file_type : file { ioctl read getattr lock open } ; allow domain file_type : file map ;
[root@localhost ~]# sesearch -A -s nfsd_t -t public_content_t -c file -p write
[root@localhost ~]# sesearch -A -s nfsd_t -t public_content_rw_t -c file -p write Found 1 semantic av rules: allow nfsd_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
Besides setting the booleans on the appropriate on/off state, what else is needed to disable R/W permission on NFS shares via SELinux?
On Wed, Dec 9, 2020 at 4:17 AM Zdenek Pytela zpytela@redhat.com wrote:
On Tue, Dec 8, 2020 at 5:04 PM Felipe Polanco felipeapolanco@gmail.com wrote:
Hi,
I'm trying to share an NFS mount point as Read-only using only SELinux, this is for learning purposes.
I'm running Centos but I didn't find a Centos Mailing List, this one was the closest I could find.
Hi,
The behaviour should be basically the same for all distros using Fedora based policy.
I'm on Centos 7 server 7.8.2003
I have run setsebool -P nfs_export_all_ro 1 and nfs_export_all_rw 0 and still, the NFS clients can write to the files of the Share.
I played with the public_content_t type but that made no difference on the files.
Do you mean you tried different types, e. g. public_content_rw_t?
My share directory on NFS server:
[root@localhost primary]# ls -lahZ drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .. -rw-r--r--. root root system_u:object_r:public_content_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file2 -rw-r--r--. root root system_u:object_r:public_content_t:s0 file3 -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file4
Those with user system_u were created by NFS clients, the unconfined_u were created by root on the NFS server, still the NFS clients have write capabilities to all of them.
[root@localhost primary]# getsebool -a | grep nfs_export nfs_export_all_ro --> on nfs_export_all_rw --> off
[root@localhost primary]# getenforce Enforcing
Any ideas?
Please install setools-console and run and compare with this output:
# getsebool nfsd_anon_write nfsd_anon_write --> off # sesearch -A -s nfsd_t -t public_content_t -c file allow domain file_type:file map; [ domain_can_mmap_files ]:True allow nfsd_t non_security_file_type:file { getattr ioctl lock open read }; [ nfs_export_all_ro ]:True allow nfsd_t public_content_t:file { getattr ioctl lock map open read }; # sesearch -A -s nfsd_t -t public_content_t -c file -p write # sesearch -A -s nfsd_t -t public_content_rw_t -c file -p write allow nfsd_t public_content_rw_t:file { append create link rename setattr unlink write }; [ nfsd_anon_write ]:True
Thanks, _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
--
Zdenek Pytela SELinux team
selinux@lists.fedoraproject.org