SELinux contexts with NFS shares

Question

I'm trying to set up an NFS share between 2 CentOS servers (filesrv & websrv) for a folder that needs to be readable & writeable by the Apache process. I'm having trouble with the writeable side of this, which I've narrowed down to SELinux configuration: Apache can write to the share if I setenforce 0 on the NFS client.

The relevant line in the exports file for the NFS server is:

/data/files/sitefiles websrv(rw,sync,no_root_squash)

The SELinux context for the shared folder on the NFS server is:

system_u:object_r:httpd_sys_rw_content_t:s0

The entry in my fstab on the NFS client is:

filesrv:/data/files/sitefiles /var/www/html/webroot/files nfs context="system_u:object_r:httpd_sys_rw_content_t:s0" 0 0

As far as I can tell, this should mount the NFS share with the httpd_sys_rw_content_t context, but when I check it, it's actually:

system_u:object_r:httpd_sys_content_t:s0

What could be causing it to apply the stricter context to the share?

score 9 · Answer 1 · answered Nov 13 '13 at 11:40

9

The simple solution should be to use the SELinux boolean httpd_use_nfs to allow your webserver to display and write content stored on a NFS share:

setsebool -P httpd_use_nfs=1

answered Nov 13 '13 at 11:40

HBruijn

77,029
24
135
201

I've tried setting this, but it doesn't seem to help. NB Apache is able to read from the share regardless of whether the boolean's on or off. – lyserge Nov 13 '13 at 11:51
What denials are you actually getting? `ausearch -m avc -c httpd` – HBruijn Nov 13 '13 at 12:18
They're all in the form: avc: denied { associate } for pid=2202 comm="httpd" name="js" scontext=system_u:object_r:httpd_sys_rw_content_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=filesystem – lyserge Nov 13 '13 at 12:58
I don't believe a boolean exists that will allow httpd to _write_ to an NFS share - at least not until the SELinux extensions for NFS are generally available. You've got a couple of years to wait for that, though... – Michael Hampton Nov 13 '13 at 16:03
1

setting the filecontext to `public_content_rw_t` or `public_content_t` for the directory on the server-side should allow the `httpd` process read/write permissions. – ILMostro_7 Jul 28 '15 at 14:40
This answer worked for me (RHEL7). Thanks. – a coder Jul 06 '16 at 13:31

score 4 · Answer 2 · answered Nov 14 '13 at 09:28

This problem was occurring because I was mounting multiple NFS shares from the same server, not all of which had the same context.

As per the RedHat documentation on multiple NFS mounts, I needed to add nosharecache to my fstab line for the mounts. The correct SELinux context is then applied on a mount-by-mount basis.

The working line in my fstab is as follows:

filesrv:/data/files/sitefiles /var/www/html/webroot/files nfs nosharecache,context="system_u:object_r:httpd_sys_rw_content_t:s0" 0 0

SELinux contexts with NFS shares

2 Answers2

Linked