The way I've delt with SELinux when enforcing is through the following
set of commands:
# ----------------------------------------------------------------
nfs01 / nfs02 / nfs03
Run any of the following command, or a combination of, on deny entries
in /var/log/audit/audit.log that may appear as you stop, start or
install above services:
METHOD 1:
grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow
semodule -i systemd-allow.pp
# ----------------------------------------------------------------
https://microdevsys.com/wp/glusterfs-configuration-and-setup-w-nfs-ganesh...
# ----------------------------------------------------------------
Using the first method, allowed me to get through virtually all of them.
However, that is not a replacement to the nfs-ganesha-selinux package.
Just the same, 3 years running now and on version NFS Ganesha 3.4 I'm
quite happy. I've included the SELinux rules enabled on my nodes, in
case this helps here.
[root@nfs01 ~]# semanage fcontext -l|grep -Ei "nfs|ganesha"
/var/lib/nfs(/.*)? all files
system_u:object_r:var_lib_nfs_t:s0
/var/log/ganesha.log regular file
system_u:object_r:ganesha_var_log_t:s0
/usr/bin/ganesha.nfsd regular file
system_u:object_r:ganesha_exec_t:s0
/var/log/ganesha.log.* regular file
system_u:object_r:ganesha_var_log_t:s0
/var/log/ganesha(/.*)? all files
system_u:object_r:ganesha_var_log_t:s0
/var/run/ganesha(/.*)? all files
system_u:object_r:ganesha_var_run_t:s0
/var/log/ganesha-gfapi.log.* regular file
system_u:object_r:ganesha_var_log_t:s0
/var/lib/nfs/rpc_pipefs(/.*)? all files
<<None>>
/usr/lib/nfs-utils/scripts(/.*)? all files
system_u:object_r:bin_t:s0
/usr/lib/systemd/system/nfs.* regular file
system_u:object_r:nfsd_unit_file_t:s0
/usr/share/munin/plugins/nfs.* regular file
system_u:object_r:system_munin_plugin_exec_t:s0
/usr/lib/systemd/system/nfs-ganesha.*e regular file
system_u:object_r:ganesha_unit_file_t:s0
/usr/lib/systemd/system/nfs-ganesha-lock.* regular file
system_u:object_r:ganesha_unit_file_t:s0
/usr/lib/systemd/system/nfs-ganesha-config.* regular file
system_u:object_r:ganesha_unit_file_t:s0
/var/tmp/nfs_0 regular file
system_u:object_r:krb5_host_rcache_t:s0
/usr/sbin/rpc\.nfsd regular file
system_u:object_r:nfsd_exec_t:s0
/etc/rc\.d/init\.d/nfs regular file
system_u:object_r:nfsd_initrc_exec_t:s0
/usr/sbin/rpc\.mountd regular file
system_u:object_r:nfsd_exec_t:s0
/etc/rc\.d/init\.d/nfslock regular file
system_u:object_r:rpcd_initrc_exec_t:s0
/usr/share/cluster/svclib_nfslock regular file
system_u:object_r:bin_t:s0
/etc/rc\.d/init\.d/mountnfs-bootclean\.sh regular file
system_u:object_r:tmpreaper_exec_t:s0
/usr/share/system-config-nfs/nfs-export\.py regular file
system_u:object_r:bin_t:s0
/usr/share/system-config-nfs/system-config-nfs\.py regular file
system_u:object_r:bin_t:s0
/var/log/ganesha all files
system_u:object_r:ganesha_var_log_t:s0
/var/log/ganesha/ganesha.log all files
system_u:object_r:ganesha_var_log_t:s0
/var/log/ganesha/ganesha-gfapi.log all files
system_u:object_r:ganesha_var_log_t:s0
[root@nfs01 ~]#
Thanks,
On 3/1/2021 2:06 PM, vaf0001--- via Support wrote:
OK, I finally found the time to revisit this issue. Indeed, it
appears the SELinux policy was not sufficient to allow access to the filesystem. I have
posted the relevant output on the github. Here is it, in case someone else is having
similar issues:
module ganesha-extra 1.0;
require {
type ipmi_device_t;
type user_home_dir_t;
type unlabeled_t;
type ganesha_t;
type fuse_device_t;
type efivarfs_t;
type dosfs_t;
type var_t;
type tracefs_t;
type device_t;
type home_root_t;
class dir { getattr read };
class file getattr;
class blk_file getattr;
class chr_file getattr;
class filesystem getattr;
}
#============= ganesha_t ==============
allow ganesha_t device_t:blk_file getattr;
allow ganesha_t dosfs_t:dir getattr;
allow ganesha_t dosfs_t:filesystem getattr;
allow ganesha_t efivarfs_t:dir getattr;
allow ganesha_t efivarfs_t:filesystem getattr;
allow ganesha_t fuse_device_t:chr_file getattr;
allow ganesha_t home_root_t:dir read;
allow ganesha_t ipmi_device_t:chr_file getattr;
allow ganesha_t tracefs_t:dir getattr;
allow ganesha_t tracefs_t:filesystem getattr;
allow ganesha_t unlabeled_t:dir getattr;
allow ganesha_t unlabeled_t:file getattr;
allow ganesha_t user_home_dir_t:dir getattr;
allow ganesha_t var_t:dir read;
_______________________________________________
Support mailing list -- support(a)lists.nfs-ganesha.org
To unsubscribe send an email to support-leave(a)lists.nfs-ganesha.org
--
Thx,
TK.