Simple export of a ext4 directory with NFS Ganesha 3.5 server in CentOS 8 with SELinux enforcing

Author:

In fact, this article is a continuation of the previous NFS Ganesha article – Simple export of an ext4 directory with NFS Ganesha 3.5 server in CentOS 8 without SELinux because it has the same purpose to export a directory residing on an ext4 file system under CentOS 8 Stream, but this time the SELinux is enabled and it is in enforcing mode! There is a need for this additional article because the SELinux is not enabled in many user configurations (despite being wrong!) and the SELinux configuration may add complexity to the first article, which could lead to misleading thoughts. The previous article might be a little bit more detailed, so the reader could check it, too.
It’s worth mentioning the key points of NFS-Ganesha:

  • a user-mode file sharing server
  • supports NFS 3, 4.x and 9P
  • using plugins for different file systems
  • CentOS Storage Special Interest Group offers a file repository with NFS-Ganesha server
  • supports file systems like ext4, xfs, brtfs, zfs and more. There are sample configurations: https://github.com/phdeniel/nfs-ganesha/tree/master/src/config_samples
  • supports cluster and/or distributed file systems like GlusterFS, Ceph, GPFS, HPSS, Lustre
  • Current version 3.5 and it is included in the official SIG CentOS Storage Special Interest Group repository.

This article assumes the reader has a clean CentOS 8 Stream installation with SELinux in enforcing mode.

STEP 1) Install the repository and NFS-Ganesha software

NFS-Ganesha 3 packages are from the CentOS Storage SIG repository, which is a good repository and may be trusted.

dnf install -y centos-release-nfs-ganesha30
dnf install -y nfs-ganesha nfs-ganesha-vfs nfs-ganesha-selinux

STEP 2) Configuration for exporting a directory.

There are two files under /etc/ganesha/:

ganesha.conf
vfs.conf

ganesha.conf includes global configuration and NFS share configuration. Each export path begins with the keyword EXPORT followed by a block ebraced by brackets {}.
vfs.conf includes a simple example for the VFS plugin, but this configuration file is not used by the NFS Ganesha server. It is just a sample file.
Here is a simple configuration, which exports /mnt/storage with Read/Write permissions to a single IP. Just add at the end of the file /etc/ganesha/ganesha.conf contains:

 
EXPORT
{
        Export_Id = 2;
        Path = /mnt/storage1;
        Pseudo = /mnt/storage1;
        Protocols = 3,4;
        Access_Type = RW;
        Squash = None;
        FSAL
        {
                Name = VFS;
        }
        CLIENT
        {
                Clients = 192.168.0.12;
        }
}

STEP 3) Start the server and mount the exported directory. Configure the firewall.

Start the server, enable the service to start on boot and then configure the firewall to pass the NFS requests:

systemctl start nfs-ganesha
systemctl enable nfs-ganesha
firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --reload


A more specific firewall rule to pass requests only from the single IP, which is included in the nfs-ganesha configuration (aka 192.168.0.12). Replace the above rule with (if the above rule was added it should be removed first):

firewall-cmd --permanent --zone=public --remove-service=nfs
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.0.12" service name="nfs" accept"
firewall-cmd --reload

STEP 4) SELinux configuration. Allow NFS-Ganesha service to access the exported directory!

The main problem is that the user may what to export a directory, where the NFS-Ganesha is not allowed to access. So additional SELinux configuration is needed for each exported directory. This article use /mnt/storage1 as the directory to export, so the SELinux configuration allows the NFS-Ganesha service to access only this directory. The /mnt/storage1 may be replaced with almost any path on the ext4 file system.
There several ways to let the NFS-Ganesha access the exported path /mnt/storage1 with the right SELinux privileges. Three ways are proposed here. Choose one of them and use it in your case:

  1. Change to permissive mode only for the NFS-Ganesha service.
  2. Use an the extended ruleset included in this article.
  3. Generate SELinux ruleset with the exported directory:
    • Set temporary SELinux from enforcing to permissive mode for NFS-Ganesha service..
    • Start the NFS-Ganesha service.
    • Mount the NFS share on the client and access a file/directory on it with a read and a write operation.
    • Stop the NFS-Ganesha.
    • Enable the SELinux enforcing for NFS-Ganesha service.
    • Search the /var/log/audit/audit.log for ganesha-nfsd and make SELinux module to add new SELinux rules.
    • Then import permanently the new SELinux rule.
    • Start the NFS-Ganesha.


NFS-Ganesha works under ganesha_t context. Using ps with the option “Z” shows the SELinux context:

[root@srv ~]# ps axufZ|grep ganesha
system_u:system_r:ganesha_t:s0  root       11171  0.0  3.2 1306456 60132 ?       Ssl  12:50   0:01 /usr/bin/ganesha.nfsd -L /var/log/ganesha/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT

STEP 4.1*) Change to permissive mode only for the NFS-Ganesha service.

This operation is simple, but gives practically it turns off the SELinux for the NFS-Ganesha. As mentioned above the NFS-Ganesha works under ganesha_t.

semanage permissive -a ganesha_t

And no SELinux will bother the system admin’s life for NFS-Ganesha. But it is just unsecured despite it is limited only to one process. Still, it is not the whole system, as usual, people like to disable SELinux!
List the exceptions:

[root@srv ~]# semanage permissive -l

Builtin Permissive Types 


Customized Permissive Types

ganesha_t

To enable enforcing mode again, just use:

semanage permissive -d ganesha_t

STEP 4.2*) Use the extended ruleset included in this article.

Setting to permissive mode only for the NFS-Ganesha will result in multiple SELinux audit records for ganesha.nfsd in /var/log/audit/audit.log, which could be analyzed to build an SELinux ruleset and a module to load it. Add the following lines in the file ganesha.nfsd.te


module ganesha.nfsd 1.0;

require {
        type tracefs_t;
        type ganesha_t;
        type mnt_t;
        class dir { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
        class filesystem getattr;
        class file { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
}

#============= ganesha_t ==============
allow ganesha_t mnt_t:dir { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
allow ganesha_t mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink write add_name remove_name rmdir };
allow ganesha_t tracefs_t:dir getattr;
allow ganesha_t tracefs_t:filesystem getattr;

Make a module and import it:

checkmodule -M -m -o ganesha.nfsd.mod ganesha.nfsd.te
semodule_package -o ganesha.nfsd.pp -m ganesha.nfsd.mod
semodule -i ganesha.nfsd.pp

4.3*) Generate SELinux ruleset with the exported directory.

It is very similar the same to the (STEP 4.2*), just a better explanation and full command log.

[root@srv ~]# dnf install -y centos-release-nfs-ganesha30
CentOS Stream 8 - AppStream                                                                                                                                  3.4 MB/s | 6.7 MB     00:01    
CentOS Stream 8 - BaseOS                                                                                                                                     2.5 MB/s | 2.3 MB     00:00    
CentOS Stream 8 - Extras                                                                                                                                     3.6 kB/s | 9.1 kB     00:02    
Dependencies resolved.
=============================================================================================================================================================================================
 Package                                                       Architecture                           Version                                   Repository                              Size
=============================================================================================================================================================================================
Installing:
 centos-release-nfs-ganesha30                                  noarch                                 1.0-2.el8                                 extras                                 8.6 k
Installing dependencies:
 centos-release-storage-common                                 noarch                                 2-2.el8                                   extras                                 9.4 k

Transaction Summary
=============================================================================================================================================================================================
Install  2 Packages

Total download size: 18 k
Installed size: 2.0 k
Downloading Packages:
(1/2): centos-release-nfs-ganesha30-1.0-2.el8.noarch.rpm                                                                                                     256 kB/s | 8.6 kB     00:00    
(2/2): centos-release-storage-common-2-2.el8.noarch.rpm                                                                                                       85 kB/s | 9.4 kB     00:00    
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                         24 kB/s |  18 kB     00:00     
warning: /var/cache/dnf/extras-9705a089504ff150/packages/centos-release-nfs-ganesha30-1.0-2.el8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
CentOS Stream 8 - Extras                                                                                                                                     278 kB/s | 1.6 kB     00:00    
Importing GPG key 0x8483C65D:
 Userid     : "CentOS (CentOS Official Signing Key) <security@centos.org>"
 Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                     1/1 
  Installing       : centos-release-storage-common-2-2.el8.noarch                                                                                                                        1/2 
  Installing       : centos-release-nfs-ganesha30-1.0-2.el8.noarch                                                                                                                       2/2 
  Verifying        : centos-release-nfs-ganesha30-1.0-2.el8.noarch                                                                                                                       1/2 
  Verifying        : centos-release-storage-common-2-2.el8.noarch                                                                                                                        2/2 

Installed:
  centos-release-nfs-ganesha30-1.0-2.el8.noarch                                                 centos-release-storage-common-2-2.el8.noarch                                                

Complete!
[root@srv ~]# dnf install -y nfs-ganesha nfs-ganesha-vfs nfs-ganesha-selinux
CentOS-8 - NFS Ganesha 3                                                                                                                                      44 kB/s |  21 kB     00:00    
Dependencies resolved.
=============================================================================================================================================================================================
 Package                                             Architecture                  Version                                                  Repository                                  Size
=============================================================================================================================================================================================
Installing:
 nfs-ganesha                                         x86_64                        3.5-1.el8                                                centos-nfs-ganesha3                        708 k
 nfs-ganesha-selinux                                 noarch                        3.5-1.el8                                                centos-nfs-ganesha3                         38 k
 nfs-ganesha-vfs                                     x86_64                        3.5-1.el8                                                centos-nfs-ganesha3                         69 k
Installing dependencies:
 avahi-libs                                          x86_64                        0.7-20.el8                                               baseos                                      62 k
 checkpolicy                                         x86_64                        2.9-1.el8                                                baseos                                     348 k
 cups-libs                                           x86_64                        1:2.2.6-38.el8                                           baseos                                     433 k
 gssproxy                                            x86_64                        0.8.0-19.el8                                             baseos                                     119 k
 keyutils                                            x86_64                        1.5.10-6.el8                                             baseos                                      63 k
 libicu                                              x86_64                        60.3-2.el8_1                                             baseos                                     8.8 M
 libntirpc                                           x86_64                        3.4-1.el8                                                centos-nfs-ganesha3                        136 k
 libverto-libevent                                   x86_64                        0.3.0-5.el8                                              baseos                                      16 k
 libwbclient                                         x86_64                        4.13.3-3.el8                                             baseos                                     119 k
 nfs-utils                                           x86_64                        1:2.3.3-41.el8                                           baseos                                     497 k
 policycoreutils-python-utils                        noarch                        2.9-14.el8                                               baseos                                     252 k
 psmisc                                              x86_64                        23.1-5.el8                                               baseos                                     151 k
 python3-audit                                       x86_64                        3.0-0.17.20191104git1c2f876.el8                          baseos                                      86 k
 python3-libsemanage                                 x86_64                        2.9-6.el8                                                baseos                                     127 k
 python3-policycoreutils                             noarch                        2.9-14.el8                                               baseos                                     2.2 M
 python3-pyyaml                                      x86_64                        3.12-12.el8                                              baseos                                     193 k
 python3-setools                                     x86_64                        4.3.0-2.el8                                              baseos                                     626 k
 quota                                               x86_64                        1:4.04-12.el8                                            baseos                                     213 k
 quota-nls                                           noarch                        1:4.04-12.el8                                            baseos                                      95 k
 rpcbind                                             x86_64                        1.2.5-8.el8                                              baseos                                      70 k
 samba-client-libs                                   x86_64                        4.13.3-3.el8                                             baseos                                     5.4 M
 samba-common                                        noarch                        4.13.3-3.el8                                             baseos                                     218 k
 samba-common-libs                                   x86_64                        4.13.3-3.el8                                             baseos                                     171 k
 userspace-rcu                                       x86_64                        0.10.1-4.el8                                             baseos                                     101 k

Transaction Summary
=============================================================================================================================================================================================
Install  27 Packages

Total download size: 21 M
Installed size: 72 M
Downloading Packages:
(1/27): nfs-ganesha-selinux-3.5-1.el8.noarch.rpm                                                                                                             717 kB/s |  38 kB     00:00    
(2/27): libntirpc-3.4-1.el8.x86_64.rpm                                                                                                                       1.5 MB/s | 136 kB     00:00    
(3/27): nfs-ganesha-vfs-3.5-1.el8.x86_64.rpm                                                                                                                 1.8 MB/s |  69 kB     00:00    
(4/27): avahi-libs-0.7-20.el8.x86_64.rpm                                                                                                                     1.3 MB/s |  62 kB     00:00    
(5/27): checkpolicy-2.9-1.el8.x86_64.rpm                                                                                                                     2.0 MB/s | 348 kB     00:00    
(6/27): nfs-ganesha-3.5-1.el8.x86_64.rpm                                                                                                                     2.2 MB/s | 708 kB     00:00    
(7/27): gssproxy-0.8.0-19.el8.x86_64.rpm                                                                                                                     1.7 MB/s | 119 kB     00:00    
(8/27): cups-libs-2.2.6-38.el8.x86_64.rpm                                                                                                                    2.1 MB/s | 433 kB     00:00    
(9/27): libverto-libevent-0.3.0-5.el8.x86_64.rpm                                                                                                             571 kB/s |  16 kB     00:00    
(10/27): keyutils-1.5.10-6.el8.x86_64.rpm                                                                                                                    468 kB/s |  63 kB     00:00    
(11/27): libwbclient-4.13.3-3.el8.x86_64.rpm                                                                                                                 773 kB/s | 119 kB     00:00    
(12/27): policycoreutils-python-utils-2.9-14.el8.noarch.rpm                                                                                                  1.5 MB/s | 252 kB     00:00    
(13/27): nfs-utils-2.3.3-41.el8.x86_64.rpm                                                                                                                   1.9 MB/s | 497 kB     00:00    
(14/27): python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64.rpm                                                                                            1.5 MB/s |  86 kB     00:00    
(15/27): psmisc-23.1-5.el8.x86_64.rpm                                                                                                                        1.6 MB/s | 151 kB     00:00    
(16/27): python3-libsemanage-2.9-6.el8.x86_64.rpm                                                                                                            2.1 MB/s | 127 kB     00:00    
(17/27): python3-pyyaml-3.12-12.el8.x86_64.rpm                                                                                                               1.5 MB/s | 193 kB     00:00    
(18/27): python3-setools-4.3.0-2.el8.x86_64.rpm                                                                                                              1.6 MB/s | 626 kB     00:00    
(19/27): quota-4.04-12.el8.x86_64.rpm                                                                                                                        1.0 MB/s | 213 kB     00:00    
(20/27): quota-nls-4.04-12.el8.noarch.rpm                                                                                                                    1.1 MB/s |  95 kB     00:00    
(21/27): rpcbind-1.2.5-8.el8.x86_64.rpm                                                                                                                      1.6 MB/s |  70 kB     00:00    
(22/27): python3-policycoreutils-2.9-14.el8.noarch.rpm                                                                                                       2.3 MB/s | 2.2 MB     00:00    
(23/27): samba-common-4.13.3-3.el8.noarch.rpm                                                                                                                1.0 MB/s | 218 kB     00:00    
(24/27): samba-common-libs-4.13.3-3.el8.x86_64.rpm                                                                                                           961 kB/s | 171 kB     00:00    
(25/27): userspace-rcu-0.10.1-4.el8.x86_64.rpm                                                                                                               1.7 MB/s | 101 kB     00:00    
(26/27): libicu-60.3-2.el8_1.x86_64.rpm                                                                                                                      3.0 MB/s | 8.8 MB     00:02    
(27/27): samba-client-libs-4.13.3-3.el8.x86_64.rpm                                                                                                           3.2 MB/s | 5.4 MB     00:01    
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                        5.7 MB/s |  21 MB     00:03     
warning: /var/cache/dnf/centos-nfs-ganesha3-a441f11834edc8e2/packages/libntirpc-3.4-1.el8.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID e451e5b5: NOKEY
CentOS-8 - NFS Ganesha 3                                                                                                                                     1.0 MB/s | 1.0 kB     00:00    
Importing GPG key 0xE451E5B5:
 Userid     : "CentOS Storage SIG (http://wiki.centos.org/SpecialInterestGroup/Storage) <security@centos.org>"
 Fingerprint: 7412 9C0B 173B 071A 3775 951A D4A2 E50B E451 E5B5
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                     1/1 
  Installing       : userspace-rcu-0.10.1-4.el8.x86_64                                                                                                                                  1/27 
  Running scriptlet: userspace-rcu-0.10.1-4.el8.x86_64                                                                                                                                  1/27 
  Installing       : libntirpc-3.4-1.el8.x86_64                                                                                                                                         2/27 
  Running scriptlet: samba-common-4.13.3-3.el8.noarch                                                                                                                                   3/27 
  Installing       : samba-common-4.13.3-3.el8.noarch                                                                                                                                   3/27 
  Running scriptlet: samba-common-4.13.3-3.el8.noarch                                                                                                                                   3/27 
  Running scriptlet: rpcbind-1.2.5-8.el8.x86_64                                                                                                                                         4/27 
  Installing       : rpcbind-1.2.5-8.el8.x86_64                                                                                                                                         4/27 
  Running scriptlet: rpcbind-1.2.5-8.el8.x86_64                                                                                                                                         4/27 
  Installing       : avahi-libs-0.7-20.el8.x86_64                                                                                                                                       5/27 
  Installing       : cups-libs-1:2.2.6-38.el8.x86_64                                                                                                                                    6/27 
  Installing       : quota-nls-1:4.04-12.el8.noarch                                                                                                                                     7/27 
  Installing       : quota-1:4.04-12.el8.x86_64                                                                                                                                         8/27 
  Installing       : python3-setools-4.3.0-2.el8.x86_64                                                                                                                                 9/27 
  Installing       : python3-pyyaml-3.12-12.el8.x86_64                                                                                                                                 10/27 
  Installing       : python3-libsemanage-2.9-6.el8.x86_64                                                                                                                              11/27 
  Installing       : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64                                                                                                              12/27 
  Installing       : psmisc-23.1-5.el8.x86_64                                                                                                                                          13/27 
  Installing       : libverto-libevent-0.3.0-5.el8.x86_64                                                                                                                              14/27 
  Installing       : gssproxy-0.8.0-19.el8.x86_64                                                                                                                                      15/27 
  Running scriptlet: gssproxy-0.8.0-19.el8.x86_64                                                                                                                                      15/27 
  Installing       : libicu-60.3-2.el8_1.x86_64                                                                                                                                        16/27 
  Running scriptlet: libicu-60.3-2.el8_1.x86_64                                                                                                                                        16/27 
  Installing       : libwbclient-4.13.3-3.el8.x86_64                                                                                                                                   17/27 
  Installing       : samba-common-libs-4.13.3-3.el8.x86_64                                                                                                                             18/27 
  Installing       : samba-client-libs-4.13.3-3.el8.x86_64                                                                                                                             19/27 
  Installing       : keyutils-1.5.10-6.el8.x86_64                                                                                                                                      20/27 
  Running scriptlet: nfs-utils-1:2.3.3-41.el8.x86_64                                                                                                                                   21/27 
  Installing       : nfs-utils-1:2.3.3-41.el8.x86_64                                                                                                                                   21/27 
  Running scriptlet: nfs-utils-1:2.3.3-41.el8.x86_64                                                                                                                                   21/27 
  Installing       : checkpolicy-2.9-1.el8.x86_64                                                                                                                                      22/27 
  Installing       : python3-policycoreutils-2.9-14.el8.noarch                                                                                                                         23/27 
  Installing       : policycoreutils-python-utils-2.9-14.el8.noarch                                                                                                                    24/27 
  Running scriptlet: nfs-ganesha-selinux-3.5-1.el8.noarch                                                                                                                              25/27 
  Installing       : nfs-ganesha-selinux-3.5-1.el8.noarch                                                                                                                              25/27 
  Running scriptlet: nfs-ganesha-selinux-3.5-1.el8.noarch                                                                                                                              25/27 
  Running scriptlet: nfs-ganesha-3.5-1.el8.x86_64                                                                                                                                      26/27 
  Installing       : nfs-ganesha-3.5-1.el8.x86_64                                                                                                                                      26/27 
  Running scriptlet: nfs-ganesha-3.5-1.el8.x86_64                                                                                                                                      26/27 
  Installing       : nfs-ganesha-vfs-3.5-1.el8.x86_64                                                                                                                                  27/27 
  Running scriptlet: libwbclient-4.13.3-3.el8.x86_64                                                                                                                                   27/27 
  Running scriptlet: nfs-ganesha-3.5-1.el8.x86_64                                                                                                                                      27/27 
  Running scriptlet: nfs-ganesha-vfs-3.5-1.el8.x86_64                                                                                                                                  27/27 
  Verifying        : libntirpc-3.4-1.el8.x86_64                                                                                                                                         1/27 
  Verifying        : nfs-ganesha-3.5-1.el8.x86_64                                                                                                                                       2/27 
  Verifying        : nfs-ganesha-selinux-3.5-1.el8.noarch                                                                                                                               3/27 
  Verifying        : nfs-ganesha-vfs-3.5-1.el8.x86_64                                                                                                                                   4/27 
  Verifying        : avahi-libs-0.7-20.el8.x86_64                                                                                                                                       5/27 
  Verifying        : checkpolicy-2.9-1.el8.x86_64                                                                                                                                       6/27 
  Verifying        : cups-libs-1:2.2.6-38.el8.x86_64                                                                                                                                    7/27 
  Verifying        : gssproxy-0.8.0-19.el8.x86_64                                                                                                                                       8/27 
  Verifying        : keyutils-1.5.10-6.el8.x86_64                                                                                                                                       9/27 
  Verifying        : libicu-60.3-2.el8_1.x86_64                                                                                                                                        10/27 
  Verifying        : libverto-libevent-0.3.0-5.el8.x86_64                                                                                                                              11/27 
  Verifying        : libwbclient-4.13.3-3.el8.x86_64                                                                                                                                   12/27 
  Verifying        : nfs-utils-1:2.3.3-41.el8.x86_64                                                                                                                                   13/27 
  Verifying        : policycoreutils-python-utils-2.9-14.el8.noarch                                                                                                                    14/27 
  Verifying        : psmisc-23.1-5.el8.x86_64                                                                                                                                          15/27 
  Verifying        : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64                                                                                                              16/27 
  Verifying        : python3-libsemanage-2.9-6.el8.x86_64                                                                                                                              17/27 
  Verifying        : python3-policycoreutils-2.9-14.el8.noarch                                                                                                                         18/27 
  Verifying        : python3-pyyaml-3.12-12.el8.x86_64                                                                                                                                 19/27 
  Verifying        : python3-setools-4.3.0-2.el8.x86_64                                                                                                                                20/27 
  Verifying        : quota-1:4.04-12.el8.x86_64                                                                                                                                        21/27 
  Verifying        : quota-nls-1:4.04-12.el8.noarch                                                                                                                                    22/27 
  Verifying        : rpcbind-1.2.5-8.el8.x86_64                                                                                                                                        23/27 
  Verifying        : samba-client-libs-4.13.3-3.el8.x86_64                                                                                                                             24/27 
  Verifying        : samba-common-4.13.3-3.el8.noarch                                                                                                                                  25/27 
  Verifying        : samba-common-libs-4.13.3-3.el8.x86_64                                                                                                                             26/27 
  Verifying        : userspace-rcu-0.10.1-4.el8.x86_64                                                                                                                                 27/27 

Installed:
  avahi-libs-0.7-20.el8.x86_64            checkpolicy-2.9-1.el8.x86_64                      cups-libs-1:2.2.6-38.el8.x86_64         gssproxy-0.8.0-19.el8.x86_64                           
  keyutils-1.5.10-6.el8.x86_64            libicu-60.3-2.el8_1.x86_64                        libntirpc-3.4-1.el8.x86_64              libverto-libevent-0.3.0-5.el8.x86_64                   
  libwbclient-4.13.3-3.el8.x86_64         nfs-ganesha-3.5-1.el8.x86_64                      nfs-ganesha-selinux-3.5-1.el8.noarch    nfs-ganesha-vfs-3.5-1.el8.x86_64                       
  nfs-utils-1:2.3.3-41.el8.x86_64         policycoreutils-python-utils-2.9-14.el8.noarch    psmisc-23.1-5.el8.x86_64                python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64   
  python3-libsemanage-2.9-6.el8.x86_64    python3-policycoreutils-2.9-14.el8.noarch         python3-pyyaml-3.12-12.el8.x86_64       python3-setools-4.3.0-2.el8.x86_64                     
  quota-1:4.04-12.el8.x86_64              quota-nls-1:4.04-12.el8.noarch                    rpcbind-1.2.5-8.el8.x86_64              samba-client-libs-4.13.3-3.el8.x86_64                  
  samba-common-4.13.3-3.el8.noarch        samba-common-libs-4.13.3-3.el8.x86_64             userspace-rcu-0.10.1-4.el8.x86_64      

Complete!
[root@srv ~]# tail -n 17 /etc/ganesha/ganesha.conf 
EXPORT
{
        Export_Id = 2;
        Path = /mnt/storage1;
        Pseudo = /mnt/storage1;
        Protocols = 3,4;
        Access_Type = RW;
        Squash = None;
        FSAL
        {
                Name = VFS;
        }
        CLIENT
        {
                Clients = 192.168.0.12;
        }
}

The required software is installed and configuration added.
Temporarily activate the permissive mode for NFS-Ganesha domain context and then start the server, mount it in the client and test some commands on the client like ls, stat, rm, mv, cp, cat, mkdir, rmdir….and so on. There would be multiple messages in the server’s auddit log /var/log/audit/audit.log. Base on latter messages a SELinux module will be built.

[root@srv ~]# semanage permissive -a ganesha_t
[root@srv ~]# semanage permissive -l

Builtin Permissive Types 


Customized Permissive Types

ganesha_t
[root@srv ~]# mkdir /mnt/storage1
[root@srv ~]# systemctl start nfs-ganesha
[root@srv ~]# firewall-cmd --permanent --zone=public --add-service=nfs
success
[root@srv ~]# firewall-cmd --reload
success
[root@srv ~]# Mount the share and test some commands on the client like ls, stat, rm, mv, cp, cat, mkdir, rmdir....and so on.
[root@srv ~]# systemctl stop nfs-ganesha
[root@srv ~]# semanage permissive -d ganesha_t
libsemanage.semanage_direct_remove_key: Removing last permissive_ganesha_t module (no other permissive_ganesha_t module exists at another priority).
[root@srv ~]# semanage permissive -l
[root@srv ~]# ausearch -c 'ganesha.nfsd' --raw | audit2allow


#============= ganesha_t ==============
allow ganesha_t mnt_t:dir { add_name create read remove_name rmdir write };
allow ganesha_t mnt_t:file { create getattr open read unlink write };
allow ganesha_t tracefs_t:dir getattr;
allow ganesha_t tracefs_t:filesystem getattr;

Mounting the NFS share

Only client with IP 192.168.0.12 could mount the export directory /mnt/storage1. The CLIENT block could be omitted or may be included multiple times redefining some of the parameters from the current EXPORT block or global configuration.
For more information https://github.com/phdeniel/nfs-ganesha/blob/master/src/config_samples/export.txt The user may check all available parameters for the EXPORT block!

And mounting the directory from client with IP 192.168.0.12:

mount 192.168.0.20:/mnt/storage1 /clients/storage1

/etc/fstab example line:

192.168.0.20:/mnt/storage1 /clients/storage1 nfs defaults,hard,intr,noexec,nosuid,_netdev,fsc,vers=4 0 0

The 192.168.0.20 is the server IP of NFS-Ganesha. The /mnt/storage1 is exported directory by NFS-Ganesha and /clients/storage1 is the directory, under which the NFS share will be mounted on the client machine (could be changed to any directory name).

Client NFS share errors

Getting errors like:

mv: cannot move 'test' to 'test1': Permission denied

It means SELinux blocks certain calls. Analyzing the audit log /var/log/audit/audit.log would probably help:

[root@srv ~]# ausearch -c 'ganesha.nfsd' --raw | audit2allow


#============= ganesha_t ==============
allow ganesha_t mnt_t:dir { add_name remove_name rmdir };
[root@srv ~]# ausearch -c 'ganesha.nfsd' --raw | audit2allow -M ganesha-new
********************** IMPORTANT *************************
To make this policy package active, execute:

semodule -i ganesha-new.pp

[root@srv ~]# semodule -i ganesha-new.pp

audit2allow shows what is missing and helps to build an SELinux module. Then import the module and the clients’ permission errors would stop.

Server errors

Permission error in the NFS-Ganesha log – /var/log/ganesha/ganesha.log:

14/04/2021 10:10:16 : epoch 6076bf88 : srv : ganesha.nfsd-15628[main] init_export_root :EXPORT :CRIT :Lookup failed on path, ExportId=2 Path=/mnt/storage1 FSAL_ERROR=(Permission denied,13)

The NFS-Ganesha does not have permission to open the exported directory. The solution is the same as with the client errors section. Search in the audit log and with ausearch, use audit2allow to generate module and import it with semodule.
Such error means the NFS share is not exported, at all. The client’s attempt would result in an error, too:

mount.nfs: mounting 192.168.0.20:/mnt/storage1 failed, reason given by server: No such file or directory

Here are some messages from /var/log/audit/audit.log

type=SYSCALL msg=audit(1618394379.846:331): arch=c000003e syscall=264 success=no exit=-13 a0=21 a1=7f6a7401f250 a2=22 a3=7f6a7400ece0 items=0 ppid=1 pid=11171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:ganesha_t:s0 key=(null)ARCH=x86_64 SYSCALL=renameat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1618394456.824:332): avc:  denied  { remove_name } for  pid=11171 comm="ganesha.nfsd" name="p" dev="sda1" ino=5506980 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1618394456.824:332): arch=c000003e syscall=264 success=no exit=-13 a0=21 a1=7f6a800f1440 a2=22 a3=7f6a800f1460 items=0 ppid=1 pid=11171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:ganesha_t:s0 key=(null)ARCH=x86_64 SYSCALL=renameat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1618395016.501:343): avc:  denied  { getattr } for  pid=15628 comm="ganesha.nfsd" path="/sys/kernel/tracing" dev="tracefs" ino=1 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1618395016.501:343): arch=c000003e syscall=4 success=no exit=-13 a0=55e61a941315 a1=7ffc19e5d240 a2=7ffc19e5d240 a3=7fd0bf6920d0 items=0 ppid=1 pid=15628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:ganesha_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1618395016.508:344): avc:  denied  { read } for  pid=15628 comm="ganesha.nfsd" name="mnt" dev="sda1" ino=5505025 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=0

All these SELinux deny messages for read, getattr, remove_name can be resolved described above with ausearch, audit2allow and semodule.

Leave a Reply

Your email address will not be published. Required fields are marked *