Red Hat Bugzilla – Bug 119461
SELinux FAQ - how to give file contexts to NFS shares
Last modified: 2007-04-18 13:04:58 EDT
Description of change/FAQ addition. If a change, include the original
text first, then the changed text:
> I'm wondering how selinux is going to interact with non-FC2
> mail server and "home" server are both running RedHat 8.0 for now
> summer I'm planning on taking them to RHEL 3. My users login to 3
> systems (Mac OS X, Solaris and RedHat/Fedora linux) and get the same
> directory. Am I going to have to disable selinux?
No, SELinux does nothing to NFS over the wire at this stage.
You can specify the security context of an NFS mount locally with the
context= option to mount. This is something the kernel only sees
the remote server is not aware of anything.
# mount -t nfs -o context=system_u:object_r:tmp_t server:/some/path
All of the files on the mount will appear to have the context
system_u:object_r:tmp_t to SELinux.
Version-Release of FAQ (found on
*** Bug 119719 has been marked as a duplicate of this bug. ***
This is to capture the question from 119719 that is related to this
bug; 119719 has been reopened to keep the first question there alive,
which is not related to this question.
## begin copy from 119719
Opened by George Moody (firstname.lastname@example.org) on 2004-04-01 14:42
Here are two questions likely to be frequently asked, missing from the
FAQ. They belong right after "Q: I installed Fedora Core on a system
with an existing /home partition, and now I can't log in."
Q: If I relabel my existing /home partition after upgrading to FC2,
will I still be able to read it if I need to revert to FC1? (In other
words, am I burning my bridges when I run setfiles or fixfiles?)
Q: Can an NFS-mountable /home partition be shared by FC1 and FC2
------- Additional Comment #1 From Karsten Wade (email@example.com) on
2004-04-01 17:52 -------
Adding blocking (back?) against 118757 for tracking purposes.
Research on answers currently occuring on fedora-selinux-list:
Here are the revised two questions. Cc:'d are the two developers who
have answered these questions on list; please review the accuracy of
these comments. I'm going to roll these into the FAQ in the next few
hours because I believe they are primarily accurate, and are timely
and useful. Please reply to this bug report with any changes.
Q:. After relabeling my /home using setfiles or fixfiles, will I still
be able to read the partition with a Fedora Core 1 system?
A:. You can read the files from a non-SELinux distribution such as
Fedora Core 1 or Red Hat Linux. However, files created by the
non-SELinux using systems will not have a security context, nor will
any files you remove and recreate. This could be a challenge with
files such as ~/.bashrc. You may have to relabel your /home when you
return to Fedora Core 2 test2.
Q:. How do I share directories using NFS between Fedora Core 2 test2
and non-SELinux systems?
A:. Just as NFS transparently supports many file system types, it can
be used to share directories between SELinux and non-SELinux systems.
When mounting a non-SELinux file system via NFS, by default SELinux
will treat all the files in the share as having a context of nfs_t.
You can override the default context by setting it manually using the
context= option. For example, this would make the files in the NFS
mounted directory appear to have a context of system_u:object_r:tmp_t
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo
When SELinux exports a file sytem via NFS, files created will have the
context of the directory they were created in. In other words, the
presence of SELinux on the remote mounting system has no effect on the
local file contexts.
I want to have the linux os source code about creating boot disk
Can you help me ?
With no changes for this entry, it was included in 1.0-4.