How to Configure SELinux Labeled NFS Exports

The NFS protocol transmits data in clear text over the network. Furthermore, the server relies on the client to identify users. It is not recommended to export directories with sensitive information without the use of SELinux label.

SELinux And Labeled NFS

SELinux offers additional security by locking down the capabilities of services provided in Red Hat Enterprise Linux. By default, NFS mounts have the SELinux context nfs_t, independent of the SELinux context they have on the server that provides the export.

This behavior can be changed on the client side by using the mount option context=“selinux_context”. The following example mounts the NFS export and enforces the SELinux context:system_u:object_r:public_content_rw_t:s0:

[root@desktopX ~]# mount -o context="system_u:object_r:public_content_rw_t:s0" serverX:/myshare /mnt/nfsexport

The NFS server can be forced to properly export the SELinux context of a share by switching to NFS version 4.2. This specification currently only exists as an Internet draft. It is already implemented in the NFS server shipped by CentOS/RHEL 7 but needs to be turned on explicitly.

To enable NFS version 4.2 on the serverX system to export the SELinux labels, change the RPCNFSDARGS="" line in the /etc/sysconfig/nfs file to:

RPCNFSDARGS="-V 4.2"

The nfs-server or nfs-secure-server respectively require a restart.

[root@serverX ~]# systemctl restart nfs-server
[root@serverX ~]# systemctl restart nfs-secure-server

On the client side, mount -o v4.2 must be specified as the mount option.

[root@desktopX ~]# mount -o sec=krb5p,v4.2 serverX:/securedexport /mnt/securedexport

For testing purposes, a new file with the name selinux.txt is created in the exported directory / securedexport. After creation, the SELinux type is changed to public_content_t.

[root@serverX ~]# touch /securedexport/selinux.txt
[root@serverX ~]# chcon -t public_content_t /securedexport/selinux.txt

All SELinux labels are now properly handled by serverX and forwarded to the client system desktopX.


[root@desktopX ~]# ls -Z /mnt/securedexport/
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 selinux.txt

Note: In a default installation of Red Hat Enterprise Linux 7, the nfs_export_all_ro and nfs_export_all_rw SELinux Booleans are both enabled. This allows the NFS daemon to read and write almost any file. To lock down the capabilities of the NFS server, disable these Booleans. For content to be readable by NFS, it should have the public_content_t or nfs_t SELinux context. For content to be both readable and writable, it should have the public_content_rw_t or nfs_t context. If the public_content_rw_t context is used, the nfsd_anon_write Boolean must be enabled to allow writes. Additional NFS-related SELinux information can be found in the nfsd_selinux(8) man page, which is provided by the selinux-policy-devel RPM package.

How to Configure SELinux Labeled NFS Exports

SELinux And Labeled NFS

Latest Posts