I would like to change SELinux labels on a NFS-mounted shared directory.
Here is my setup (using virtual machines):
I have two machines running CentOS 7. One of them (the server) exports a directory tree over NFS using the following
I mount this directory on the client using the following command (as root):
mount <server-ip>:/top/fs/fs /mnt/fs
All is working fine up to now: I have read and write access on the client.
Now the problem with the SELinux labels:
On the server I can create a file
file1 inside the NFS-share and it has the following label:
# touch file1 # ls -lZ file1 -rw-r--r--. root root system_u:object_r:unlabeled_t:s0 file1
On the client, it just shows a ‘?’:
# ls -lZ file1 -rw-r--r-- root root ? file1
When I try to change the SELinux context of a file inside the NFS share on the client,
I get the following:
# chcon -t admin_home_t file1 chcon: failed to get security context of ‘file1’: Operation not supported
Changing SELinux labels on the client outside the NFS share works fine, however.
How can setup NFS and SELinux so that I can change SELinux labels on the client?
You can’t. This isn’t something NFS supports. You can only set an SELinux context as a mount option, that will be applied to every file access by the client. None of this has any effect on any SELinux contexts that might exist on the server, and indeed, there might not be any at all.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.