Product SiteDocumentation Site

10.6.4. Configuration Examples Sharing directories using NFS

The example in this section creates a directory and shares it using NFS and SELinux. Two hosts are used in this example; a NFS server with a hostname of nfs-srv with an IP address of, and a client with a hostname of nfs-client and an IP address of Both hosts are on the same subnet ( This is an example only and assumes that the nfs-utils package is installed, that the SELinux targeted policy is used, and that SELinux is running in enforced mode.
This example will show that while even with full network availability and Linux file permissions granting access to all users via NFS, SELinux is still able to block mounting of NFS file systems unless the proper permissions are given via SELinux Booleans. Server setup
Steps 1-10 below should be performed on the NFS server, nfs-srv.
  1. Run the setsebool command to disable read/write mounting of NFS file systems:
    setsebool -P nfs_export_all_rw off


    Do not use the -P option if you do not want setsebool changes to persist across reboots.
  2. Run rpm -q nfs-utils to confirm the nfs-utils package is installed. The nfs-utils package provides support programs for using NFS and should be installed on a NFS server and on any clients in use. If this package is not installed, install it by running yum install nfs-utils as the root user.
  3. Run mkdir /myshare as the root user to create a new top-level directory to share using NFS.
  4. Run touch /myshare/file1 as the root user to create a new empty file in the shared area. This file will be accessed later by the client.
  5. To show that SELinux is still able to block access even when Linux permissions are completely open, give the /myshare directory full Linux access rights for all users:
    # chmod -R 777 /myshare


    This is an example only and these permissions should not be used in a production system.
  6. Edit the /etc/exports file and add the following line to the top of the file:
    This entry shows the full path on the server to the shared folder /myshare, the host or network range that nfs-srv will share to (in this case the IP address of a single host, nfs-client at, and finally the share permissions. Read and write permissions are given here, as indicated by (rw).
  7. The TCP and UDP ports used for NFS are assigned dynamically by rpcbind, which can cause problems when creating firewall rules. To simplify the process of allowing NFS traffic through the firewall in this example, edit the /etc/sysconfig/nfs file and uncomment the MOUNTD_PORT,STATD_PORT,LOCKD_TCPPORT and LOCKD_UDPPORT variables. Changing the port numbers in this file is not required for this example.
    Ensure that incoming connections on TCP ports 111, 892 and 2049 are allowed through the server's firewall. This can be done via the system-config-firewall tool in Fedora.
  8. Run service nfs start as the root user to start NFS and its related services:
    # service nfs start
    Starting NFS services:		[  OK  ]
    Starting NFS quotas:		[  OK  ]
    Starting NFS daemon:		[  OK  ]
    Starting NFS mountd:		[  OK  ]
  9. To ensure that the NFS subsystem export table is updated, run exportfs -rv as the root user:
    # exportfs -rv
  10. Run showmount -e as the root user to show all exported file systems:
    # showmount -e
    Export list for nfs-srv:
At this point the server nfs-srv has been configured to allow NFS communications to nfs-client at, and full Linux file systems permissions are active. If SELinux were disabled, the client would be able to mount this share and have full access over it. However, as the nfs_export_all_rw Boolean is disabled, the client is currently not able to mount this file system, as shown below. This step should be performed on the client, nfs-client:
[nfs-client]# mkdir /myshare
[nfs-client]# mount.nfs /myshare
mount.nfs: access denied by server while mounting
Enable the SELinux Boolean that was disabled in Step 1 above, and the client will be able to successfully mount the shared file system. This step should be performed on the NFS server, nfs-srv:
[nfs-srv]# setsebool -P nfs_export_all_rw on
Now try to mount the NFS file system again. This step should be performed on the NFS client, nfs-client:
[nfs-client]# mount.nfs /myshare
[nfs-client]# ls /myshare
total 0
-rwxrwxrwx.  1 root root 0 2009-04-16 12:07 file1
The file system has been mounted successfully by the client. This example demonstrates how SELinux adds another layer of protection and can still enforce SELinux permissions even when Linux permissions are set to give full rights to all users.