NFS and SELinux Configuration

NFS and SELinux

In Red Hat Enterprise Linux 5 & 6, NFS is protected by the default Security-Enhanced Linux (SELinux) policy, known as the targeted policy. By default, this targeted policy allows NFS connections to the server by setting the nfs_export_all_ro and nfs_export_all_rw SELinux booleans to 1.

If you are sharing home directories over NFS while using SELinux, you must set

use_nfs_home_dirs boolean to 1 on each client connecting to the NFS server sharing the home directories. Execute the following command as root:

setsebool -P use_nfs_home_dirs boolean 1

To verify that the setting has been changed, execute the following:

getsebool use_nfs_home_dirs boolean

If enabled, the output should be the following:

use_nfs_home_dirs --> on

You can also change this setting by running the SELinux Management Tool. Start it by selecting Administration, SELinux Management from the System menu on the top panel of the desktop or by executing the system-config-selinux command. Enter the root password when prompted if running as a non-root user. Select Boolean from the list on the left. On the right, click the triangle icon next to NFS. The SELinux booleans affecting NFS appear. Click the check box next to Support NFS home directories. The change takes place immediately.

The SELinux implementation in Red Hat Enterprise Linux does not require the files shared with NFS to be labeled with a specific security context. However, if more than one filesharing protocol is configured to share the same set of files such as FTP and Samba, the security context of the files must be set to public_content_t or public_content_rw_t instead.

Allowing NFS Connections

Before configuring the NFS server, configure your firewall settings to allow the incoming connections. While portmapper and the nfs daemon use static ports, NFS also employs four additional services: statd, mountd, rquotad, and lockd. They are assigned a random port by portmapper, which makes it difficult for firewall configuration. However, it is possible to configure these four daemons to use static ports.

The portmapper service uses UDP and TCP port 111, and the nfs daemon uses UDP and TCP port 2049 by default.

If the default security level is enabled instead of custom IPTables rules, use the Security Level Configuration tool to allow NFS connections. Start it by selecting Administration, Security Level and Firewall from the System menu on the top panel of the desktop or by executing the system-config-securitylevel command. Enter the root password when prompted if running as a user. In the Other ports area, click Add to specify each NFS port. Remember, the ports will differ depending on which ones you choose.