In fact, this article is a continuation of the previous NFS Ganesha article – Simple export of an ext4 directory with NFS Ganesha 3.5 server in CentOS 8 without SELinux because it has the same purpose to export a directory residing on an ext4 file system under CentOS 8 Stream, but this time the SELinux is enabled and it is in enforcing mode! There is a need for this additional article because the SELinux is not enabled in many user configurations (despite being wrong!) and the SELinux configuration may add complexity to the first article, which could lead to misleading thoughts. The previous article might be a little bit more detailed, so the reader could check it, too.
It’s worth mentioning the key points of NFS-Ganesha:
- a user-mode file sharing server
- supports NFS 3, 4.x and 9P
- using plugins for different file systems
- CentOS Storage Special Interest Group offers a file repository with NFS-Ganesha server
- supports file systems like ext4, xfs, brtfs, zfs and more. There are sample configurations: https://github.com/phdeniel/nfs-ganesha/tree/master/src/config_samples
- supports cluster and/or distributed file systems like GlusterFS, Ceph, GPFS, HPSS, Lustre
- Current version 3.5 and it is included in the official SIG CentOS Storage Special Interest Group repository.
This article assumes the reader has a clean CentOS 8 Stream installation with SELinux in enforcing mode.
STEP 1) Install the repository and NFS-Ganesha software
NFS-Ganesha 3 packages are from the CentOS Storage SIG repository, which is a good repository and may be trusted.
dnf install -y centos-release-nfs-ganesha30 dnf install -y nfs-ganesha nfs-ganesha-vfs nfs-ganesha-selinux
STEP 2) Configuration for exporting a directory.
There are two files under /etc/ganesha/:
ganesha.conf vfs.conf
ganesha.conf includes global configuration and NFS share configuration. Each export path begins with the keyword EXPORT followed by a block ebraced by brackets {}.
vfs.conf includes a simple example for the VFS plugin, but this configuration file is not used by the NFS Ganesha server. It is just a sample file.
Here is a simple configuration, which exports /mnt/storage with Read/Write permissions to a single IP. Just add at the end of the file /etc/ganesha/ganesha.conf contains:
EXPORT
{
Export_Id = 2;
Path = /mnt/storage1;
Pseudo = /mnt/storage1;
Protocols = 3,4;
Access_Type = RW;
Squash = None;
FSAL
{
Name = VFS;
}
CLIENT
{
Clients = 192.168.0.12;
}
}
STEP 3) Start the server and mount the exported directory. Configure the firewall.
Start the server, enable the service to start on boot and then configure the firewall to pass the NFS requests:
systemctl start nfs-ganesha systemctl enable nfs-ganesha firewall-cmd --permanent --zone=public --add-service=nfs firewall-cmd --reload
A more specific firewall rule to pass requests only from the single IP, which is included in the nfs-ganesha configuration (aka 192.168.0.12). Replace the above rule with (if the above rule was added it should be removed first):
firewall-cmd --permanent --zone=public --remove-service=nfs firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.0.12" service name="nfs" accept" firewall-cmd --reload
STEP 4) SELinux configuration. Allow NFS-Ganesha service to access the exported directory!
The main problem is that the user may what to export a directory, where the NFS-Ganesha is not allowed to access. So additional SELinux configuration is needed for each exported directory. This article use /mnt/storage1 as the directory to export, so the SELinux configuration allows the NFS-Ganesha service to access only this directory. The /mnt/storage1 may be replaced with almost any path on the ext4 file system.
There several ways to let the NFS-Ganesha access the exported path /mnt/storage1 with the right SELinux privileges. Three ways are proposed here. Choose one of them and use it in your case:
- Change to permissive mode only for the NFS-Ganesha service.
- Use an the extended ruleset included in this article.
- Generate SELinux ruleset with the exported directory:
- Set temporary SELinux from enforcing to permissive mode for NFS-Ganesha service..
- Start the NFS-Ganesha service.
- Mount the NFS share on the client and access a file/directory on it with a read and a write operation.
- Stop the NFS-Ganesha.
- Enable the SELinux enforcing for NFS-Ganesha service.
- Search the /var/log/audit/audit.log for ganesha-nfsd and make SELinux module to add new SELinux rules.
- Then import permanently the new SELinux rule.
- Start the NFS-Ganesha.
NFS-Ganesha works under ganesha_t context. Using ps with the option “Z” shows the SELinux context:
[root@srv ~]# ps axufZ|grep ganesha system_u:system_r:ganesha_t:s0 root 11171 0.0 3.2 1306456 60132 ? Ssl 12:50 0:01 /usr/bin/ganesha.nfsd -L /var/log/ganesha/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT
STEP 4.1*) Change to permissive mode only for the NFS-Ganesha service.
This operation is simple, but gives practically it turns off the SELinux for the NFS-Ganesha. As mentioned above the NFS-Ganesha works under ganesha_t.
semanage permissive -a ganesha_t
And no SELinux will bother the system admin’s life for NFS-Ganesha. But it is just unsecured despite it is limited only to one process. Still, it is not the whole system, as usual, people like to disable SELinux!
List the exceptions:
[root@srv ~]# semanage permissive -l Builtin Permissive Types Customized Permissive Types ganesha_t
To enable enforcing mode again, just use:
semanage permissive -d ganesha_t
STEP 4.2*) Use the extended ruleset included in this article.
Setting to permissive mode only for the NFS-Ganesha will result in multiple SELinux audit records for ganesha.nfsd in /var/log/audit/audit.log, which could be analyzed to build an SELinux ruleset and a module to load it. Add the following lines in the file ganesha.nfsd.te
module ganesha.nfsd 1.0;
require {
type tracefs_t;
type ganesha_t;
type mnt_t;
class dir { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
class filesystem getattr;
class file { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
}
#============= ganesha_t ==============
allow ganesha_t mnt_t:dir { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
allow ganesha_t mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
allow ganesha_t tracefs_t:dir getattr;
allow ganesha_t tracefs_t:filesystem getattr;
Make a module and import it:
checkmodule -M -m -o ganesha.nfsd.mod ganesha.nfsd.te semodule_package -o ganesha.nfsd.pp -m ganesha.nfsd.mod semodule -i ganesha.nfsd.pp
4.3*) Generate SELinux ruleset with the exported directory.
It is very similar the same to the (STEP 4.2*), just a better explanation and full command log.
[root@srv ~]# dnf install -y centos-release-nfs-ganesha30
CentOS Stream 8 - AppStream 3.4 MB/s | 6.7 MB 00:01
CentOS Stream 8 - BaseOS 2.5 MB/s | 2.3 MB 00:00
CentOS Stream 8 - Extras 3.6 kB/s | 9.1 kB 00:02
Dependencies resolved.
=============================================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================================
Installing:
centos-release-nfs-ganesha30 noarch 1.0-2.el8 extras 8.6 k
Installing dependencies:
centos-release-storage-common noarch 2-2.el8 extras 9.4 k
Transaction Summary
=============================================================================================================================================================================================
Install 2 Packages
Total download size: 18 k
Installed size: 2.0 k
Downloading Packages:
(1/2): centos-release-nfs-ganesha30-1.0-2.el8.noarch.rpm 256 kB/s | 8.6 kB 00:00
(2/2): centos-release-storage-common-2-2.el8.noarch.rpm 85 kB/s | 9.4 kB 00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 24 kB/s | 18 kB 00:00
warning: /var/cache/dnf/extras-9705a089504ff150/packages/centos-release-nfs-ganesha30-1.0-2.el8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
CentOS Stream 8 - Extras 278 kB/s | 1.6 kB 00:00
Importing GPG key 0x8483C65D:
Userid : "CentOS (CentOS Official Signing Key) <security@centos.org>"
Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : centos-release-storage-common-2-2.el8.noarch 1/2
Installing : centos-release-nfs-ganesha30-1.0-2.el8.noarch 2/2
Verifying : centos-release-nfs-ganesha30-1.0-2.el8.noarch 1/2
Verifying : centos-release-storage-common-2-2.el8.noarch 2/2
Installed:
centos-release-nfs-ganesha30-1.0-2.el8.noarch centos-release-storage-common-2-2.el8.noarch
Complete!
[root@srv ~]# dnf install -y nfs-ganesha nfs-ganesha-vfs nfs-ganesha-selinux
CentOS-8 - NFS Ganesha 3 44 kB/s | 21 kB 00:00
Dependencies resolved.
=============================================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================================
Installing:
nfs-ganesha x86_64 3.5-1.el8 centos-nfs-ganesha3 708 k
nfs-ganesha-selinux noarch 3.5-1.el8 centos-nfs-ganesha3 38 k
nfs-ganesha-vfs x86_64 3.5-1.el8 centos-nfs-ganesha3 69 k
Installing dependencies:
avahi-libs x86_64 0.7-20.el8 baseos 62 k
checkpolicy x86_64 2.9-1.el8 baseos 348 k
cups-libs x86_64 1:2.2.6-38.el8 baseos 433 k
gssproxy x86_64 0.8.0-19.el8 baseos 119 k
keyutils x86_64 1.5.10-6.el8 baseos 63 k
libicu x86_64 60.3-2.el8_1 baseos 8.8 M
libntirpc x86_64 3.4-1.el8 centos-nfs-ganesha3 136 k
libverto-libevent x86_64 0.3.0-5.el8 baseos 16 k
libwbclient x86_64 4.13.3-3.el8 baseos 119 k
nfs-utils x86_64 1:2.3.3-41.el8 baseos 497 k
policycoreutils-python-utils noarch 2.9-14.el8 baseos 252 k
psmisc x86_64 23.1-5.el8 baseos 151 k
python3-audit x86_64 3.0-0.17.20191104git1c2f876.el8 baseos 86 k
python3-libsemanage x86_64 2.9-6.el8 baseos 127 k
python3-policycoreutils noarch 2.9-14.el8 baseos 2.2 M
python3-pyyaml x86_64 3.12-12.el8 baseos 193 k
python3-setools x86_64 4.3.0-2.el8 baseos 626 k
quota x86_64 1:4.04-12.el8 baseos 213 k
quota-nls noarch 1:4.04-12.el8 baseos 95 k
rpcbind x86_64 1.2.5-8.el8 baseos 70 k
samba-client-libs x86_64 4.13.3-3.el8 baseos 5.4 M
samba-common noarch 4.13.3-3.el8 baseos 218 k
samba-common-libs x86_64 4.13.3-3.el8 baseos 171 k
userspace-rcu x86_64 0.10.1-4.el8 baseos 101 k
Transaction Summary
=============================================================================================================================================================================================
Install 27 Packages
Total download size: 21 M
Installed size: 72 M
Downloading Packages:
(1/27): nfs-ganesha-selinux-3.5-1.el8.noarch.rpm 717 kB/s | 38 kB 00:00
(2/27): libntirpc-3.4-1.el8.x86_64.rpm 1.5 MB/s | 136 kB 00:00
(3/27): nfs-ganesha-vfs-3.5-1.el8.x86_64.rpm 1.8 MB/s | 69 kB 00:00
(4/27): avahi-libs-0.7-20.el8.x86_64.rpm 1.3 MB/s | 62 kB 00:00
(5/27): checkpolicy-2.9-1.el8.x86_64.rpm 2.0 MB/s | 348 kB 00:00
(6/27): nfs-ganesha-3.5-1.el8.x86_64.rpm 2.2 MB/s | 708 kB 00:00
(7/27): gssproxy-0.8.0-19.el8.x86_64.rpm 1.7 MB/s | 119 kB 00:00
(8/27): cups-libs-2.2.6-38.el8.x86_64.rpm 2.1 MB/s | 433 kB 00:00
(9/27): libverto-libevent-0.3.0-5.el8.x86_64.rpm 571 kB/s | 16 kB 00:00
(10/27): keyutils-1.5.10-6.el8.x86_64.rpm 468 kB/s | 63 kB 00:00
(11/27): libwbclient-4.13.3-3.el8.x86_64.rpm 773 kB/s | 119 kB 00:00
(12/27): policycoreutils-python-utils-2.9-14.el8.noarch.rpm 1.5 MB/s | 252 kB 00:00
(13/27): nfs-utils-2.3.3-41.el8.x86_64.rpm 1.9 MB/s | 497 kB 00:00
(14/27): python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64.rpm 1.5 MB/s | 86 kB 00:00
(15/27): psmisc-23.1-5.el8.x86_64.rpm 1.6 MB/s | 151 kB 00:00
(16/27): python3-libsemanage-2.9-6.el8.x86_64.rpm 2.1 MB/s | 127 kB 00:00
(17/27): python3-pyyaml-3.12-12.el8.x86_64.rpm 1.5 MB/s | 193 kB 00:00
(18/27): python3-setools-4.3.0-2.el8.x86_64.rpm 1.6 MB/s | 626 kB 00:00
(19/27): quota-4.04-12.el8.x86_64.rpm 1.0 MB/s | 213 kB 00:00
(20/27): quota-nls-4.04-12.el8.noarch.rpm 1.1 MB/s | 95 kB 00:00
(21/27): rpcbind-1.2.5-8.el8.x86_64.rpm 1.6 MB/s | 70 kB 00:00
(22/27): python3-policycoreutils-2.9-14.el8.noarch.rpm 2.3 MB/s | 2.2 MB 00:00
(23/27): samba-common-4.13.3-3.el8.noarch.rpm 1.0 MB/s | 218 kB 00:00
(24/27): samba-common-libs-4.13.3-3.el8.x86_64.rpm 961 kB/s | 171 kB 00:00
(25/27): userspace-rcu-0.10.1-4.el8.x86_64.rpm 1.7 MB/s | 101 kB 00:00
(26/27): libicu-60.3-2.el8_1.x86_64.rpm 3.0 MB/s | 8.8 MB 00:02
(27/27): samba-client-libs-4.13.3-3.el8.x86_64.rpm 3.2 MB/s | 5.4 MB 00:01
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 5.7 MB/s | 21 MB 00:03
warning: /var/cache/dnf/centos-nfs-ganesha3-a441f11834edc8e2/packages/libntirpc-3.4-1.el8.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID e451e5b5: NOKEY
CentOS-8 - NFS Ganesha 3 1.0 MB/s | 1.0 kB 00:00
Importing GPG key 0xE451E5B5:
Userid : "CentOS Storage SIG (http://wiki.centos.org/SpecialInterestGroup/Storage) <security@centos.org>"
Fingerprint: 7412 9C0B 173B 071A 3775 951A D4A2 E50B E451 E5B5
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : userspace-rcu-0.10.1-4.el8.x86_64 1/27
Running scriptlet: userspace-rcu-0.10.1-4.el8.x86_64 1/27
Installing : libntirpc-3.4-1.el8.x86_64 2/27
Running scriptlet: samba-common-4.13.3-3.el8.noarch 3/27
Installing : samba-common-4.13.3-3.el8.noarch 3/27
Running scriptlet: samba-common-4.13.3-3.el8.noarch 3/27
Running scriptlet: rpcbind-1.2.5-8.el8.x86_64 4/27
Installing : rpcbind-1.2.5-8.el8.x86_64 4/27
Running scriptlet: rpcbind-1.2.5-8.el8.x86_64 4/27
Installing : avahi-libs-0.7-20.el8.x86_64 5/27
Installing : cups-libs-1:2.2.6-38.el8.x86_64 6/27
Installing : quota-nls-1:4.04-12.el8.noarch 7/27
Installing : quota-1:4.04-12.el8.x86_64 8/27
Installing : python3-setools-4.3.0-2.el8.x86_64 9/27
Installing : python3-pyyaml-3.12-12.el8.x86_64 10/27
Installing : python3-libsemanage-2.9-6.el8.x86_64 11/27
Installing : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 12/27
Installing : psmisc-23.1-5.el8.x86_64 13/27
Installing : libverto-libevent-0.3.0-5.el8.x86_64 14/27
Installing : gssproxy-0.8.0-19.el8.x86_64 15/27
Running scriptlet: gssproxy-0.8.0-19.el8.x86_64 15/27
Installing : libicu-60.3-2.el8_1.x86_64 16/27
Running scriptlet: libicu-60.3-2.el8_1.x86_64 16/27
Installing : libwbclient-4.13.3-3.el8.x86_64 17/27
Installing : samba-common-libs-4.13.3-3.el8.x86_64 18/27
Installing : samba-client-libs-4.13.3-3.el8.x86_64 19/27
Installing : keyutils-1.5.10-6.el8.x86_64 20/27
Running scriptlet: nfs-utils-1:2.3.3-41.el8.x86_64 21/27
Installing : nfs-utils-1:2.3.3-41.el8.x86_64 21/27
Running scriptlet: nfs-utils-1:2.3.3-41.el8.x86_64 21/27
Installing : checkpolicy-2.9-1.el8.x86_64 22/27
Installing : python3-policycoreutils-2.9-14.el8.noarch 23/27
Installing : policycoreutils-python-utils-2.9-14.el8.noarch 24/27
Running scriptlet: nfs-ganesha-selinux-3.5-1.el8.noarch 25/27
Installing : nfs-ganesha-selinux-3.5-1.el8.noarch 25/27
Running scriptlet: nfs-ganesha-selinux-3.5-1.el8.noarch 25/27
Running scriptlet: nfs-ganesha-3.5-1.el8.x86_64 26/27
Installing : nfs-ganesha-3.5-1.el8.x86_64 26/27
Running scriptlet: nfs-ganesha-3.5-1.el8.x86_64 26/27
Installing : nfs-ganesha-vfs-3.5-1.el8.x86_64 27/27
Running scriptlet: libwbclient-4.13.3-3.el8.x86_64 27/27
Running scriptlet: nfs-ganesha-3.5-1.el8.x86_64 27/27
Running scriptlet: nfs-ganesha-vfs-3.5-1.el8.x86_64 27/27
Verifying : libntirpc-3.4-1.el8.x86_64 1/27
Verifying : nfs-ganesha-3.5-1.el8.x86_64 2/27
Verifying : nfs-ganesha-selinux-3.5-1.el8.noarch 3/27
Verifying : nfs-ganesha-vfs-3.5-1.el8.x86_64 4/27
Verifying : avahi-libs-0.7-20.el8.x86_64 5/27
Verifying : checkpolicy-2.9-1.el8.x86_64 6/27
Verifying : cups-libs-1:2.2.6-38.el8.x86_64 7/27
Verifying : gssproxy-0.8.0-19.el8.x86_64 8/27
Verifying : keyutils-1.5.10-6.el8.x86_64 9/27
Verifying : libicu-60.3-2.el8_1.x86_64 10/27
Verifying : libverto-libevent-0.3.0-5.el8.x86_64 11/27
Verifying : libwbclient-4.13.3-3.el8.x86_64 12/27
Verifying : nfs-utils-1:2.3.3-41.el8.x86_64 13/27
Verifying : policycoreutils-python-utils-2.9-14.el8.noarch 14/27
Verifying : psmisc-23.1-5.el8.x86_64 15/27
Verifying : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 16/27
Verifying : python3-libsemanage-2.9-6.el8.x86_64 17/27
Verifying : python3-policycoreutils-2.9-14.el8.noarch 18/27
Verifying : python3-pyyaml-3.12-12.el8.x86_64 19/27
Verifying : python3-setools-4.3.0-2.el8.x86_64 20/27
Verifying : quota-1:4.04-12.el8.x86_64 21/27
Verifying : quota-nls-1:4.04-12.el8.noarch 22/27
Verifying : rpcbind-1.2.5-8.el8.x86_64 23/27
Verifying : samba-client-libs-4.13.3-3.el8.x86_64 24/27
Verifying : samba-common-4.13.3-3.el8.noarch 25/27
Verifying : samba-common-libs-4.13.3-3.el8.x86_64 26/27
Verifying : userspace-rcu-0.10.1-4.el8.x86_64 27/27
Installed:
avahi-libs-0.7-20.el8.x86_64 checkpolicy-2.9-1.el8.x86_64 cups-libs-1:2.2.6-38.el8.x86_64 gssproxy-0.8.0-19.el8.x86_64
keyutils-1.5.10-6.el8.x86_64 libicu-60.3-2.el8_1.x86_64 libntirpc-3.4-1.el8.x86_64 libverto-libevent-0.3.0-5.el8.x86_64
libwbclient-4.13.3-3.el8.x86_64 nfs-ganesha-3.5-1.el8.x86_64 nfs-ganesha-selinux-3.5-1.el8.noarch nfs-ganesha-vfs-3.5-1.el8.x86_64
nfs-utils-1:2.3.3-41.el8.x86_64 policycoreutils-python-utils-2.9-14.el8.noarch psmisc-23.1-5.el8.x86_64 python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64
python3-libsemanage-2.9-6.el8.x86_64 python3-policycoreutils-2.9-14.el8.noarch python3-pyyaml-3.12-12.el8.x86_64 python3-setools-4.3.0-2.el8.x86_64
quota-1:4.04-12.el8.x86_64 quota-nls-1:4.04-12.el8.noarch rpcbind-1.2.5-8.el8.x86_64 samba-client-libs-4.13.3-3.el8.x86_64
samba-common-4.13.3-3.el8.noarch samba-common-libs-4.13.3-3.el8.x86_64 userspace-rcu-0.10.1-4.el8.x86_64
Complete!
[root@srv ~]# tail -n 17 /etc/ganesha/ganesha.conf
EXPORT
{
Export_Id = 2;
Path = /mnt/storage1;
Pseudo = /mnt/storage1;
Protocols = 3,4;
Access_Type = RW;
Squash = None;
FSAL
{
Name = VFS;
}
CLIENT
{
Clients = 192.168.0.12;
}
}
The required software is installed and configuration added.
Temporarily activate the permissive mode for NFS-Ganesha domain context and then start the server, mount it in the client and test some commands on the client like ls, stat, rm, mv, cp, cat, mkdir, rmdir….and so on. There would be multiple messages in the server’s auddit log /var/log/audit/audit.log. Base on latter messages a SELinux module will be built.
[root@srv ~]# semanage permissive -a ganesha_t
[root@srv ~]# semanage permissive -l
Builtin Permissive Types
Customized Permissive Types
ganesha_t
[root@srv ~]# mkdir /mnt/storage1
[root@srv ~]# systemctl start nfs-ganesha
[root@srv ~]# firewall-cmd --permanent --zone=public --add-service=nfs
success
[root@srv ~]# firewall-cmd --reload
success
[root@srv ~]# Mount the share and test some commands on the client like ls, stat, rm, mv, cp, cat, mkdir, rmdir....and so on.
[root@srv ~]# systemctl stop nfs-ganesha
[root@srv ~]# semanage permissive -d ganesha_t
libsemanage.semanage_direct_remove_key: Removing last permissive_ganesha_t module (no other permissive_ganesha_t module exists at another priority).
[root@srv ~]# semanage permissive -l
[root@srv ~]# ausearch -c 'ganesha.nfsd' --raw | audit2allow
#============= ganesha_t ==============
allow ganesha_t mnt_t:dir { add_name create read remove_name rmdir write };
allow ganesha_t mnt_t:file { create getattr open read unlink write };
allow ganesha_t tracefs_t:dir getattr;
allow ganesha_t tracefs_t:filesystem getattr;
Mounting the NFS share
Only client with IP 192.168.0.12 could mount the export directory /mnt/storage1. The CLIENT block could be omitted or may be included multiple times redefining some of the parameters from the current EXPORT block or global configuration.
For more information https://github.com/phdeniel/nfs-ganesha/blob/master/src/config_samples/export.txt The user may check all available parameters for the EXPORT block!
And mounting the directory from client with IP 192.168.0.12:
mount 192.168.0.20:/mnt/storage1 /clients/storage1
/etc/fstab example line:
192.168.0.20:/mnt/storage1 /clients/storage1 nfs defaults,hard,intr,noexec,nosuid,_netdev,fsc,vers=4 0 0
The 192.168.0.20 is the server IP of NFS-Ganesha. The /mnt/storage1 is exported directory by NFS-Ganesha and /clients/storage1 is the directory, under which the NFS share will be mounted on the client machine (could be changed to any directory name).
Client NFS share errors
Getting errors like:
mv: cannot move 'test' to 'test1': Permission denied
It means SELinux blocks certain calls. Analyzing the audit log /var/log/audit/audit.log would probably help:
[root@srv ~]# ausearch -c 'ganesha.nfsd' --raw | audit2allow
#============= ganesha_t ==============
allow ganesha_t mnt_t:dir { add_name remove_name rmdir };
[root@srv ~]# ausearch -c 'ganesha.nfsd' --raw | audit2allow -M ganesha-new
********************** IMPORTANT *************************
To make this policy package active, execute:
semodule -i ganesha-new.pp
[root@srv ~]# semodule -i ganesha-new.pp
audit2allow shows what is missing and helps to build an SELinux module. Then import the module and the clients’ permission errors would stop.
Server errors
Permission error in the NFS-Ganesha log – /var/log/ganesha/ganesha.log:
14/04/2021 10:10:16 : epoch 6076bf88 : srv : ganesha.nfsd-15628[main] init_export_root :EXPORT :CRIT :Lookup failed on path, ExportId=2 Path=/mnt/storage1 FSAL_ERROR=(Permission denied,13)
The NFS-Ganesha does not have permission to open the exported directory. The solution is the same as with the client errors section. Search in the audit log and with ausearch, use audit2allow to generate module and import it with semodule.
Such error means the NFS share is not exported, at all. The client’s attempt would result in an error, too:
mount.nfs: mounting 192.168.0.20:/mnt/storage1 failed, reason given by server: No such file or directory
Here are some messages from /var/log/audit/audit.log
type=SYSCALL msg=audit(1618394379.846:331): arch=c000003e syscall=264 success=no exit=-13 a0=21 a1=7f6a7401f250 a2=22 a3=7f6a7400ece0 items=0 ppid=1 pid=11171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:ganesha_t:s0 key=(null)ARCH=x86_64 SYSCALL=renameat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1618394456.824:332): avc: denied { remove_name } for pid=11171 comm="ganesha.nfsd" name="p" dev="sda1" ino=5506980 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1618394456.824:332): arch=c000003e syscall=264 success=no exit=-13 a0=21 a1=7f6a800f1440 a2=22 a3=7f6a800f1460 items=0 ppid=1 pid=11171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:ganesha_t:s0 key=(null)ARCH=x86_64 SYSCALL=renameat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1618395016.501:343): avc: denied { getattr } for pid=15628 comm="ganesha.nfsd" path="/sys/kernel/tracing" dev="tracefs" ino=1 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1618395016.501:343): arch=c000003e syscall=4 success=no exit=-13 a0=55e61a941315 a1=7ffc19e5d240 a2=7ffc19e5d240 a3=7fd0bf6920d0 items=0 ppid=1 pid=15628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:ganesha_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1618395016.508:344): avc: denied { read } for pid=15628 comm="ganesha.nfsd" name="mnt" dev="sda1" ino=5505025 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=0
All these SELinux deny messages for read, getattr, remove_name can be resolved described above with ausearch, audit2allow and semodule.