Bug 119461

Summary: SELinux FAQ - how to give file contexts to NFS shares
Product: [Fedora] Fedora Documentation Reporter: Karsten Wade <kwade>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED CURRENTRELEASE QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: dwalsh, george, jmorris
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-06 23:07:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757    

Description Karsten Wade 2004-03-30 18:39:36 UTC 
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:


> Hi,
>   I'm wondering how selinux is going to interact with non-FC2
machines?  My
> mail server and "home" server are both running RedHat 8.0 for now
and this
> summer I'm planning on taking them to RHEL 3.  My users login to 3
different
> systems (Mac OS X, Solaris and RedHat/Fedora linux) and get the same
home
> directory.  Am I going to have to disable selinux?

No, SELinux does nothing to NFS over the wire at this stage.

You can specify the security context of an NFS mount locally with the 
context= option to mount.  This is something the kernel only sees
locally, 
the remote server is not aware of anything.

e.g. 

# mount -t nfs -o context=system_u:object_r:tmp_t server:/some/path
/mnt/wherever

All of the files on the mount will appear to have the context
system_u:object_r:tmp_t to SELinux.




Version-Release of FAQ (found on
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html):

selinux-faq-1.0-2 (2004-03-30-T16:20-0800)
Comment 1 Karsten Wade 2004-04-02 19:40:18 UTC 
*** Bug 119719 has been marked as a duplicate of this bug. ***
Comment 2 Karsten Wade 2004-04-02 19:44:52 UTC 
This is to capture the question from 119719 that is related to this
bug; 119719 has been reopened to keep the first question there alive,
which is not related to this question.

## begin copy from 119719

Opened by George Moody (george) on 2004-04-01 14:42

Private Comment

Here are two questions likely to be frequently asked, missing from the
FAQ.  They belong right after "Q: I installed Fedora Core on a system
with an existing /home partition, and now I can't log in."

Q: If I relabel my existing /home partition after upgrading to FC2,
will I still be able to read it if I need to revert to FC1? (In other
words, am I burning my bridges when I run setfiles or fixfiles?)

Q: Can an NFS-mountable /home partition be shared by FC1 and FC2
installations?


------- Additional Comment #1 From Karsten Wade (kwade) on
2004-04-01 17:52 -------
Private Comment

Adding blocking (back?) against 118757 for tracking purposes.

Research on answers currently occuring on fedora-selinux-list:

http://www.redhat.com/archives/fedora-selinux-list/2004-April/msg00012.html

## 30
Comment 3 Karsten Wade 2004-04-02 22:47:13 UTC 
Here are the revised two questions.  Cc:'d are the two developers who
have answered these questions on list; please review the accuracy of
these comments.  I'm going to roll these into the FAQ in the next few
hours because I believe they are primarily accurate, and are timely
and useful.  Please reply to this bug report with any changes.

## begin

Q:. After relabeling my /home using setfiles or fixfiles, will I still
be able to read the partition with a Fedora Core 1 system?

A:.  You can read the files from a non-SELinux distribution such as
Fedora Core 1 or Red Hat Linux. However, files created by the
non-SELinux using systems will not have a security context, nor will
any files you remove and recreate. This could be a challenge with
files such as ~/.bashrc. You may have to relabel your /home when you
return to Fedora Core 2 test2.


Q:. How do I share directories using NFS between Fedora Core 2 test2
and non-SELinux systems?

A:. Just as NFS transparently supports many file system types, it can
be used to share directories between SELinux and non-SELinux systems.

When mounting a non-SELinux file system via NFS, by default SELinux
will treat all the files in the share as having a context of nfs_t.
You can override the default context by setting it manually using the
context= option. For example, this would make the files in the NFS
mounted directory appear to have a context of system_u:object_r:tmp_t
to SELinux:


mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo
/mnt/foo

When SELinux exports a file sytem via NFS, files created will have the
context of the directory they were created in. In other words, the
presence of SELinux on the remote mounting system has no effect on the
local file contexts. 

## 30
Comment 4 Karsten Wade 2004-04-03 01:47:14 UTC 
*** Bug 119719 has been marked as a duplicate of this bug. ***
Comment 5 Tran Thanh Dat 2004-04-04 02:42:01 UTC 
Hi !
I want to have the linux os source code about creating boot disk
Can you help me ?
Comment 6 Karsten Wade 2004-04-06 23:07:31 UTC 
With no changes for this entry, it was included in 1.0-4.