Changing SELinux file contexts over NFS

Holger asked:

I would like to change SELinux labels on a NFS-mounted shared directory.

Here is my setup (using virtual machines):

I have two machines running CentOS 7. One of them (the server) exports a directory tree over NFS using the following exports file:

/top/fs/fs  *(rw,sync,no_root_squash)

I mount this directory on the client using the following command (as root):

mount <server-ip>:/top/fs/fs /mnt/fs

All is working fine up to now: I have read and write access on the client.

Now the problem with the SELinux labels:

On the server I can create a file file1 inside the NFS-share and it has the following label:

# touch file1
# ls -lZ file1
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 file1

On the client, it just shows a ‘?’:

# ls -lZ file1
-rw-r--r-- root root ?                                file1

When I try to change the SELinux context of a file inside the NFS share on the client,
I get the following:

# chcon -t admin_home_t file1
chcon: failed to get security context of ‘file1’: Operation not supported

Changing SELinux labels on the client outside the NFS share works fine, however.

How can setup NFS and SELinux so that I can change SELinux labels on the client?


My answer:

You can’t. This isn’t something NFS supports. You can only set an SELinux context as a mount option, that will be applied to every file access by the client. None of this has any effect on any SELinux contexts that might exist on the server, and indeed, there might not be any at all.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.