1 |
On 10/19/05, Chris PeBenito <pebenito@g.o> wrote: |
2 |
> On Wed, 2005-10-19 at 10:54 -0400, Andy Dustman wrote: |
3 |
> > I'm missing some important piece of how to properly mount NFS |
4 |
> > filesystems under SELinux. I can get the filesystem to mount, but if I |
5 |
> > try to access it, I get permission denied. Additionally, doing ls -dZ |
6 |
> > on the mount point shows (none) as the label. |
7 |
> |
8 |
> NFS does not support exporting of labels, since it does not support |
9 |
> xattr. Any NFS filesystems you mount will have (none) as the labels, |
10 |
> and all of the contents will have the label system_u:object_r:nfs_t, |
11 |
> even if the server is a SELinux machine. So on your client, you have to |
12 |
> give access to nfs_t. |
13 |
|
14 |
> You turn on nfs_portdir if you have a portage tree or overlay on NFS. |
15 |
> Nfs_home_dirs is if you have a NFS /home. |
16 |
|
17 |
Actually, my first attempt at this was to try to get an NFS-mounted |
18 |
Portage overlay to work, and I had the same sort of problem, i.e. |
19 |
always getting permission denied trying to access nfs_t as sysadm_t. |
20 |
However, emerge (running as portage_t) can access the files fine. |
21 |
|
22 |
It looks like enabling nfs_home_dirs creates general access rules for |
23 |
sysadm_t, staff_t, and user_t (among others) to access NFS files, |
24 |
which makes my NFS-mounted filesystems generally accessible. |
25 |
|
26 |
-- |
27 |
Computer interfaces should never be made of meat. |
28 |
http://www.terrybisson.com/meat.html |
29 |
|
30 |
-- |
31 |
gentoo-hardened@g.o mailing list |