Wrong SELinux labels on NFS homes?

cornuz asked:

I have NFS (v4) home directories.
The NFS server is a Synology (DSM 5.2), the client is a FC 23.

The client gets autofs settings from a freeIPA server:

ipa automountmap-add default auto.home
ipa automountkey-add default --key "/home" --info auto.home auto.master
ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=sys,hard,intr,rsize=8192,wsize=8192 nfsserver.hq.example.com:/volume1/shared_homes/&" auto.home

While investigating a problem with file access rights, I checked the SElinux labels on the mounted homedirs:

$ matchpathcon -V /home
/home has context system_u:object_r:autofs_t:s0, should be system_u:object_r:home_root_t:s0


$ matchpathcon -V /home/roberto
/home/roberto has context system_u:object_r:nfs_t:s0, should be unconfined_u:object_r:user_home_dir_t:s0

I admit SELinux still gives a hard time, I’m wondering whether the contexts above should be fixed.

From what I have understood (please correct me otherwise), this has to to with SELinux Labeled NFS support, which would allow to give labels as if files were on a local filesystem, rather than a generic nfs_t label. For this to work NVS v4.2 is required.
Being my NFS server on DSM, I doubt it supports v4.2 already.

My question is: is my client simply telling me “update your server and get this new cool feature working”, in which case I should not worry much, or is this really something to fix? And if so, how?

My answer:

You should just be able to set the use_nfs_home_dirs boolean and get on with life:

setsebool -P use_nfs_home_dirs on

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.