How to Configure SELinux Labeled NFS Exports
The NFS protocol transmits data in clear text over the network. Furthermore, the server relies on the client to identify users. It is not recommended to export directories with sensitive information without the use of SELinux label.
SELinux And Labeled NFS
SELinux offers additional security by locking down the capabilities of services provided in Red Hat Enterprise Linux. By default, NFS mounts have the SELinux context nfs_t, independent of the SELinux context they have on the server that provides the export.
This behavior can be changed on the client side by using the mount option context=“selinux_context”. The following example mounts the NFS export and enforces the SELinux context:system_u:object_r:public_content_rw_t:s0:
[root@desktopX ~]# mount -o context="system_u:object_r:public_content_rw_t:s0" serverX:/myshare /mnt/nfsexport
The NFS server can be forced to properly export the SELinux context of a share by switching to NFS version 4.2. This specification currently only exists as an Internet draft. It is already implemented in the NFS server shipped by CentOS/RHEL 7 but needs to be turned on explicitly.
To enable NFS version 4.2 on the serverX system to export the SELinux labels, change the RPCNFSDARGS="" line in the /etc/sysconfig/nfs file to:
RPCNFSDARGS="-V 4.2"
The nfs-server or nfs-secure-server respectively require a restart.
[root@serverX ~]# systemctl restart nfs-server
[root@serverX ~]# systemctl restart nfs-secure-server
On the client side, mount -o v4.2 must be specified as the mount option.
[root@desktopX ~]# mount -o sec=krb5p,v4.2 serverX:/securedexport /mnt/securedexport
For testing purposes, a new file with the name selinux.txt is created in the exported directory / securedexport. After creation, the SELinux type is changed to public_content_t.
[root@serverX ~]# touch /securedexport/selinux.txt
[root@serverX ~]# chcon -t public_content_t /securedexport/selinux.txt
All SELinux labels are now properly handled by serverX and forwarded to the client system desktopX.
[root@desktopX ~]# ls -Z /mnt/securedexport/
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 selinux.txt