Bug 119461 - SELinux FAQ - how to give file contexts to NFS shares
Summary: SELinux FAQ - how to give file contexts to NFS shares
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora Documentation
Classification: Retired
Component: selinux-faq
Version: devel
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karsten Wade
QA Contact: Tammy Fox
URL: http://people.redhat.com/kwade/fedora...
Whiteboard:
: 119719 (view as bug list)
Depends On:
Blocks: 118757
TreeView+ depends on / blocked
 
Reported: 2004-03-30 18:39 UTC by Karsten Wade
Modified: 2007-04-18 17:04 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-04-06 23:07:31 UTC
Embargoed:


Attachments (Terms of Use)

Description Karsten Wade 2004-03-30 18:39:36 UTC
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:


> Hi,
>   I'm wondering how selinux is going to interact with non-FC2
machines?  My
> mail server and "home" server are both running RedHat 8.0 for now
and this
> summer I'm planning on taking them to RHEL 3.  My users login to 3
different
> systems (Mac OS X, Solaris and RedHat/Fedora linux) and get the same
home
> directory.  Am I going to have to disable selinux?

No, SELinux does nothing to NFS over the wire at this stage.

You can specify the security context of an NFS mount locally with the 
context= option to mount.  This is something the kernel only sees
locally, 
the remote server is not aware of anything.

e.g. 

# mount -t nfs -o context=system_u:object_r:tmp_t server:/some/path
/mnt/wherever

All of the files on the mount will appear to have the context
system_u:object_r:tmp_t to SELinux.




Version-Release of FAQ (found on
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html):

selinux-faq-1.0-2 (2004-03-30-T16:20-0800)

Comment 1 Karsten Wade 2004-04-02 19:40:18 UTC
*** Bug 119719 has been marked as a duplicate of this bug. ***

Comment 2 Karsten Wade 2004-04-02 19:44:52 UTC
This is to capture the question from 119719 that is related to this
bug; 119719 has been reopened to keep the first question there alive,
which is not related to this question.

## begin copy from 119719

Opened by George Moody (george) on 2004-04-01 14:42

Private Comment

Here are two questions likely to be frequently asked, missing from the
FAQ.  They belong right after "Q: I installed Fedora Core on a system
with an existing /home partition, and now I can't log in."

Q: If I relabel my existing /home partition after upgrading to FC2,
will I still be able to read it if I need to revert to FC1? (In other
words, am I burning my bridges when I run setfiles or fixfiles?)

Q: Can an NFS-mountable /home partition be shared by FC1 and FC2
installations?


------- Additional Comment #1 From Karsten Wade (kwade) on
2004-04-01 17:52 -------
Private Comment

Adding blocking (back?) against 118757 for tracking purposes.

Research on answers currently occuring on fedora-selinux-list:

http://www.redhat.com/archives/fedora-selinux-list/2004-April/msg00012.html

## 30

Comment 3 Karsten Wade 2004-04-02 22:47:13 UTC
Here are the revised two questions.  Cc:'d are the two developers who
have answered these questions on list; please review the accuracy of
these comments.  I'm going to roll these into the FAQ in the next few
hours because I believe they are primarily accurate, and are timely
and useful.  Please reply to this bug report with any changes.

## begin

Q:. After relabeling my /home using setfiles or fixfiles, will I still
be able to read the partition with a Fedora Core 1 system?

A:.  You can read the files from a non-SELinux distribution such as
Fedora Core 1 or Red Hat Linux. However, files created by the
non-SELinux using systems will not have a security context, nor will
any files you remove and recreate. This could be a challenge with
files such as ~/.bashrc. You may have to relabel your /home when you
return to Fedora Core 2 test2.


Q:. How do I share directories using NFS between Fedora Core 2 test2
and non-SELinux systems?

A:. Just as NFS transparently supports many file system types, it can
be used to share directories between SELinux and non-SELinux systems.

When mounting a non-SELinux file system via NFS, by default SELinux
will treat all the files in the share as having a context of nfs_t.
You can override the default context by setting it manually using the
context= option. For example, this would make the files in the NFS
mounted directory appear to have a context of system_u:object_r:tmp_t
to SELinux:


mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo
/mnt/foo

When SELinux exports a file sytem via NFS, files created will have the
context of the directory they were created in. In other words, the
presence of SELinux on the remote mounting system has no effect on the
local file contexts. 

## 30

Comment 4 Karsten Wade 2004-04-03 01:47:14 UTC
*** Bug 119719 has been marked as a duplicate of this bug. ***

Comment 5 Tran Thanh Dat 2004-04-04 02:42:01 UTC
Hi !
I want to have the linux os source code about creating boot disk
Can you help me ?

Comment 6 Karsten Wade 2004-04-06 23:07:31 UTC
With no changes for this entry, it was included in 1.0-4.


Note You need to log in before you can comment on or make changes to this bug.