Product SiteDocumentation Site

Chapter 16. Network File System

16.1. NFS and SELinux
16.2. Types
16.3. Booleans
16.4. Configuration Examples
16.4.1. Enabling SELinux Labeled NFS Support
A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network.[19]
In Fedora, the nfs-utils package is required for full NFS support. Run the following command to see if the nfs-utils is installed:
~]$ rpm -q nfs-utils
package nfs-utils is not installed
If it is not installed and you want to use NFS, use the DNF utility as root to install it:
~]# dnf install nfs-utils

16.1. NFS and SELinux

When running SELinux, the NFS daemons are confined by default except the nfsd process, which is labeled with the unconfined kernel_t domain type. The SELinux policy allows NFS to share files by default. Also, passing SELinux labels between a client and the server is supported, which provides better security control of confined domains accessing NFS volumes. For example, when a home directory is set up on an NFS volume, it is possible to specify confined domains that are able to access only the home directory and not other directories on the volume. Similarly, applications, such as Secure Virtualization, can set the label of an image file on an NFS volume, thus increasing the level of separation of virtual machines.
The support for labeled NFS is disabled by default. To enable it, see Section 16.4.1, “Enabling SELinux Labeled NFS Support”.

[19] See the Network File System (NFS) chapter in the Storage Administration Guide for more information.