| 1 |
On 10/19/05, Chris PeBenito <pebenito@g.o> wrote: |
| 2 |
> On Wed, 2005-10-19 at 10:54 -0400, Andy Dustman wrote: |
| 3 |
> > I'm missing some important piece of how to properly mount NFS |
| 4 |
> > filesystems under SELinux. I can get the filesystem to mount, but if I |
| 5 |
> > try to access it, I get permission denied. Additionally, doing ls -dZ |
| 6 |
> > on the mount point shows (none) as the label. |
| 7 |
> |
| 8 |
> NFS does not support exporting of labels, since it does not support |
| 9 |
> xattr. Any NFS filesystems you mount will have (none) as the labels, |
| 10 |
> and all of the contents will have the label system_u:object_r:nfs_t, |
| 11 |
> even if the server is a SELinux machine. So on your client, you have to |
| 12 |
> give access to nfs_t. |
| 13 |
|
| 14 |
> You turn on nfs_portdir if you have a portage tree or overlay on NFS. |
| 15 |
> Nfs_home_dirs is if you have a NFS /home. |
| 16 |
|
| 17 |
Actually, my first attempt at this was to try to get an NFS-mounted |
| 18 |
Portage overlay to work, and I had the same sort of problem, i.e. |
| 19 |
always getting permission denied trying to access nfs_t as sysadm_t. |
| 20 |
However, emerge (running as portage_t) can access the files fine. |
| 21 |
|
| 22 |
It looks like enabling nfs_home_dirs creates general access rules for |
| 23 |
sysadm_t, staff_t, and user_t (among others) to access NFS files, |
| 24 |
which makes my NFS-mounted filesystems generally accessible. |
| 25 |
|
| 26 |
-- |
| 27 |
Computer interfaces should never be made of meat. |
| 28 |
http://www.terrybisson.com/meat.html |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-hardened@g.o mailing list |
Archives