* Re: Issue with SELinux Labeled NFS
2014-03-11 18:41 Issue with SELinux Labeled NFS Anthony Messina
@ 2014-03-22 6:43 ` Anthony Messina
0 siblings, 0 replies; 2+ messages in thread
From: Anthony Messina @ 2014-03-22 6:43 UTC (permalink / raw)
To: Linux NFS Mailing List
[-- Attachment #1: Type: text/plain, Size: 3542 bytes --]
On Tuesday, March 11, 2014 01:41:49 PM you wrote:
> I've begun testing out the labeled NFSv4.2 features with good success with
> only one exception so far. I have several workstations that use NFSv4.2
> mounted /home directories. I've been able to remove the SELinux boolean
> requirement for 'use_nfs_home_dirs', however, on *one* of these
> workstations, the /home directory is labeled 'unlabeled_t' after boot when
> it should be labeled with 'home_root_t'. This problem causes failures, as
> you can imagine.
>
> I mount the filesystem on all of the workstations in the same manner:
> # /etc/fstab
> ...
> server.com:/home /home nfs rw,minorversion=2,sec=krb5p,x-systemd.automount 0
> 0
>
> Yet the issue occurs on only *one* workstation. If I manually issue
>
> chcon -t home_root_t /home
>
> then I am able to login and use the system without issue.
>
> All of the servers and workstations are using
>
> kernel-3.13.6-200.fc20.x86_64
> nfs-utils-1.2.9-3.0.fc20.x86_64
>
> I realize this is not the SELinux mailing list, but I was wondering if
> anyone had any pointers on how to investigate this issue. The
> workstations are all nearly identical in configuration with the exception
> of a few user-based differences such as GnuCash on one, but not the other,
> etc.
While I haven't yet found a solution to this problem, I am able to confirm
that I now see this other workstations and it appears that it may be some sort
of race condition between the two mounts in the clients' fstab since it
doesn't always occur on every workstation. Perhaps someone can help me spot a
problem in the following server or client configuration.
My single NFS server has the following in /etc/exports:
/export 2001:123:456:789::/64(fsid=0,crossmnt,sec=krb5p:krb5i) \
10.1.1.0/24(fsid=0,crossmnt,sec=krb5p:krb5i)
/export/home 2001:123:456:789::/64(rw,sec=krb5p) \
10.1.1.0/24(rw,sec=krb5p)
/export/media 2001:123:456:789::/64(rw,sec=krb5p:krb5i) \
10.1.1.0/24(rw,sec=krb5p:krb5i)
/export/software 2001:123:456:789::/64(rw,sec=krb5p:krb5i) \
10.1.1.0/24(rw,sec=krb5p:krb5i)
And the following bind mounts in /etc/fstab:
/home /export/home none bind 0 0
/srv/media /export/media none bind 0 0
/srv/software /export/software none bind 0 0
And the following labels for the exported filesystems:
~]# ls -lZ /
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
~]# ls -lZ /srv
drwxr-x---. auser agroup system_u:object_r:public_content_rw_t:s0 media
drwxr-x---. auser family system_u:object_r:public_content_rw_t:s0 software
~]# ls -lZ /export
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
drwxr-x---. auser agroup system_u:object_r:public_content_rw_t:s0 media
drwxr-x---. auser family system_u:object_r:public_content_rw_t:s0 software
The clients mount the exports via the following in /etc/fstab
server.com:/home /home nfs rw,minorversion=2,sec=krb5p,x-systemd.automount 0 0
server.com:/ /mnt/srv nfs rw,minorversion=2,sec=krb5i,x-systemd.automount 0 0
Again, the issue is that the /home mount on the clients tends to be mounted as
"unlabeled_t" which causes failures with SELinux enabled.
Is there an issue in the way I'm exporting things that may cause this?
Thanks in advance for any pointers. -A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread