6.4.1. Sharing directories using NFS
The example in this section creates a directory and shares it using NFS and SELinux. Two hosts are used in this example; a NFS server with a hostname of nfs-srv with an IP address of 192.168.1.1, and a client with a hostname of nfs-client and an IP address of 192.168.1.100. Both hosts are on the same subnet (192.168.1.0/24). This is an example only and assumes that the nfs-utils package is installed, that the SELinux targeted policy is used, and that SELinux is running in enforced mode.
This example will show that while even with full network availability and Linux file permissions granting access to all users via NFS, SELinux is still able to block mounting of NFS file systems unless the proper permissions are given via SELinux Booleans.
Steps 1-10 in the following procedure should be performed on the NFS server, nfs-srv.
-
Run the setsebool command to disable read/write mounting of NFS file systems:
setsebool -P nfs_export_all_rw off
Do not use the -P option if you do not want setsebool changes to persist across reboots.
-
Run rpm -q nfs-utils to confirm the nfs-utils package is installed. The nfs-utils package provides support programs for using NFS and should be installed on a NFS server and on any clients in use. If this package is not installed, install it by running yum install nfs-utils as the root user.
-
Run mkdir /myshare as the root user to create a new top-level directory to share using NFS.
-
Run touch /myshare/file1 as the root user to create a new empty file in the shared area. This file will be accessed later by the client.
-
To show that SELinux is still able to block access even when Linux permissions are completely open, give the /myshare directory full Linux access rights for all users:
# chmod -R 777 /myshare
This is an example only and these permissions should not be used in a production system.
-
Edit the /etc/exports file and add the following line to the top of the file:
/myshare 192.168.1.100(rw)
This entry shows the full path on the server to the shared folder /myshare, the host or network range that nfs-srv will share to (in this case the IP address of a single host, nfs-client at 192.168.1.100), and finally the share permissions. Read and write permissions are given here, as indicated by (rw).
-
The TCP and UDP ports used for NFS are assigned dynamically by rpcbind, which can cause problems when creating firewall rules. To simplify the process of allowing NFS traffic through the firewall in this example, edit the /etc/sysconfig/nfs file and uncomment the MOUNTD_PORT,STATD_PORT,LOCKD_TCPPORT and LOCKD_UDPPORT variables. Changing the port numbers in this file is not required for this example.
Ensure that incoming connections are allowed through the server's firewall. This can be done via the system-config-firewall tool:
-
TCP and UDP port 2049 for NFS.
-
TCP and UDP port 111 (rpcbind/sunrpc).
-
The TCP and UDP port specified by the MOUNTD_PORT="port" option.
-
The TCP and UDP port specified by the STATD_PORT="port" option.
-
The TCP port specified by the LOCKD_TCPPORT="port" option.
-
The UDP port specified by the LOCKD_UDPPORT="port" option.
-
Run service nfs start as the root user to start NFS and its related services:
# service nfs start
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
-
To ensure that the NFS subsystem export table is updated, run exportfs -rv as the root user:
# exportfs -rv
exporting 192.168.1.100:/myshare
-
Run showmount -e as the root user to show all exported file systems:
# showmount -e
Export list for nfs-srv:
/myshare 192.168.1.100
At this point the server nfs-srv has been configured to allow NFS communications to nfs-client at 192.168.1.100, and full Linux file systems permissions are active. If SELinux were disabled, the client would be able to mount this share and have full access over it. However, as the nfs_export_all_rw Boolean is disabled, the client is currently not able to mount this file system, as shown in the following output. This step should be performed on the client, nfs-client:
[nfs-client]# mkdir /myshare
[nfs-client]# mount.nfs 192.168.1.1:/myshare /myshare
mount.nfs: access denied by server while mounting 192.168.1.1:/myshare/
Enable the SELinux Boolean that was disabled in Step 1 above, and the client will be able to successfully mount the shared file system. This step should be performed on the NFS server, nfs-srv:
[nfs-srv]# setsebool -P nfs_export_all_rw on
Restart the NFS daemon:
[nfs-srv]# service nfs restart
Now try to mount the NFS file system again. This step should be performed on the NFS client, nfs-client:
[nfs-client]# mount.nfs 192.168.1.1:/myshare /myshare
[nfs-client]#
[nfs-client]# ls /myshare
total 0
-rwxrwxrwx. 1 root root 0 2009-04-16 12:07 file1
[nfs-client]#
The file system has been mounted successfully by the client. This example demonstrates how SELinux adds another layer of protection and can still enforce SELinux permissions even when Linux permissions are set to give full rights to all users.
