16.4. Configuration Examples
16.4.1. Enabling SELinux Labeled NFS Support
The following example demonstrates how to enable SELinux labeled NFS support. This example assumes that the nfs-utils package is installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.
Note
Steps 1-3 are supposed to be performed on the NFS server,
nfs-srv.
- If the NFS server is running, stop it:
[nfs-srv]#
systemctl stop nfsConfirm that the server is stopped:[nfs-srv]#
systemctl status nfsnfs-server.service - NFS Server Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled) Active: inactive (dead) - Edit the
/etc/sysconfig/nfsfile to set theRPCNFSDARGSflag to"-V 4.2":# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8) RPCNFSDARGS="-V 4.2"
- Start the server again and confirm that it is running. The output will contain information below, only the time stamp will differ:
[nfs-srv]#
systemctl start nfs[nfs-srv]#
systemctl status nfsnfs-server.service - NFS Server Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled) Active: active (exited) since Wed 2013-08-28 14:07:11 CEST; 4s ago - On the client side, mount the NFS server:
[nfs-client]#
mount -o v4.2 server:mntpoint localmountpoint - All SELinux labels are now successfully passed from the server to the client:
[nfs-srv]$
ls -Z file-rw-rw-r--. user user unconfined_u:object_r:svirt_image_t:s0 file [nfs-client]$ls -Z file-rw-rw-r--. user user unconfined_u:object_r:svirt_image_t:s0 file
Note
If you enable labeled NFS support for home directories or other content, the content will be labeled the same as it was on an EXT file system. Also note that mounting systems with different versions of NFS or an attempt to mount a server that does not support labeled NFS could cause errors to be returned.
