4.2. Adjusting the policy for sharing NFS and CIFS volumes using SELinux booleans
You can change parts of SELinux policy at runtime using booleans, even without any knowledge of SELinux policy writing. This enables changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. The following procedure demonstrates listing SELinux booleans and configuring them to achieve the required changes in the policy.
NFS mounts on the client side are labeled with a default context defined by a policy for NFS volumes. In RHEL, this default context uses the
nfs_t type. Also, Samba shares mounted on the client side are labeled with a default context defined by the policy. This default context uses the
cifs_t type. You can enable or disable booleans to control which services are allowed to access the
To allow the Apache HTTP server service (
httpd) to access and share NFS and CIFS volumes, perform the following steps:
Optionally, install the
selinux-policy-develpackage to obtain clearer and more detailed descriptions of SELinux booleans in the output of the
semanage boolean -lcommand.
Identify SELinux booleans relevant for NFS, CIFS, and Apache:
# semanage boolean -l | grep 'nfs\|cifs' | grep httpd httpd_use_cifs (off , off) Allow httpd to access cifs file systems httpd_use_nfs (off , off) Allow httpd to access nfs file systems
List the current state of the booleans:
$ getsebool -a | grep 'nfs\|cifs' | grep httpd httpd_use_cifs --> off httpd_use_nfs --> off
Enable the identified booleans:
# setsebool httpd_use_nfs on # setsebool httpd_use_cifs on注記
-Poption to make the changes persistent across restarts. A
setsebool -Pcommand requires a rebuild of the entire policy, and it might take some time depending on your configuration.
Check that the booleans are
$ getsebool -a | grep 'nfs\|cifs' | grep httpd httpd_use_cifs --> on httpd_use_nfs --> on