Configuring a Linux NFS server in a SELinux-managed environment
The Linux kernel has supported NFS for as long as I can remember. All of the major distributions (Redhat, CentOS, Fedora, Suse, Ubunut) ship with NFS client and server support and have all of the user land daemons and tools needed to configure and debug NFS. I spent some time this past weekend bringing up a new NFS server in a SELinux-managed environment, and thought I would share my experience with my readers.
Setting up a Linux NFS server with SELinux can be done in just a few simple steps:
- Configure SELinux to allow remote hosts to access content that is exported through NFS.
- Add file systems that you want to export to the /etc/exports file.
- Enable the NFS services.
SELinux does not allow remote content to be accessed by default. This can easily be fixed by enabling one of the three SELinux booleans listed below:
nfs_export_all_ro -- allows file systems to be exported read-only nfs_export_all_rw -- allows file systems to be exported read-write use_nfs_home_dirs -- allows home directories to be exported over NFS
To set a boolean you can use the setsebool utility:
setsebool -P nfs_export_all_rw=on
Once SELinux has been instructed to allow NFS exports, you can add the file systems you want to export to /etc/exports. This file has the following format:
To export the file system/exports/nfs to clients on the 192.168.1.0/24 network or in the prefetch.net domain, we can add an entry similar to the following to /etc/exports
/export/nfs 192.168.1.0/255.255.255.0(rw,sync) *.prefetch.net(rw,sync)
To start the NFS services on your server, you will need to enable the portmap and nfs services. This can be accomplished with chkconfig and service:
chkconfig portmap on chkconfig nfs on chkconfig nfslock on service portmap start Starting portmap: [ OK ] service nfs start Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] service nfslock start Starting NFS statd: [ OK ]
The file systems listed in /etc/exports should now be exported, and you can verify this with the exportfs utility:
exportfs /export/nfs 192.168.1.0/255.255.255.0 /export/nfs *.prefetch.net
To verify a mount is functioning, you can try mounting it from a client that falls inside the ACL:
mount server:/export/nfs /export/nfs
If this fails or you receive a permission denied error you can check the following things:
- Check setroubleshootd to see if SELinux is blocking access.
- Verify that the portmap and nfs services are running.
- Check nfsstat and exportfs to view the NFS statistics and exported file systems.
- If a firewall is configured, verify that iptables is allowing access.
If everything is working as expected, you should pat yourself on the back for a job well done!