I created a directory /lab where I will mount different NFS volumes from multiple locations. I want to present /lab with the mounted volumes to all OOD users as a shortcut in the Files menu. I created the following configuration in /etc/ood/config/apps/dashboard/initializers/ood.rb:

paths << FavoritePath.new("/lab", title: "Laboratory Directories")

SELinux prevented the new directory from appearing in the Files menu. Output from “sealert” said:

SELinux is preventing /usr/bin/ruby from read access on the directory lab.
...
If you want to allow ruby to have read access on the lab directory
Then you need to change the label on lab
Do
# semanage fcontext -a -t FILE_TYPE 'lab'
where FILE_TYPE is one of the following: ..., ood_apps_public_t,
 ood_apps_t, ood_pun_log_t, ood_pun_tmp_t,
 ood_pun_var_config_t, ood_pun_var_lib_t,
 ood_pun_var_run_t, ... 
...
Source Context                system_u:system_r:ood_pun_t:s0
Target Context                unconfined_u:object_r:default_t:s0
...

I tried

# semanage fcontext -a -t ood_pun_t 'lab'

and received error

ValueError: Type ood_pun_t is invalid, must be a file or device type

Note that “ood_pun_t”, identified in “Source Context”, is not one of the FILE_TYPE values in the earlier list. What should I have specified?

Setting SELinux to Permissive mode allows the lab directory to appear in the Files menu, so that is what I am doing for now.

The selinux package we ship is largely community driven, so I can’t really comment on this much myself. @tdockendorf may know more.

That said - pull requests welcome to patch something like this.

We are not required to run SELinux here (not yet, anyway), but it is a “nice to do so if one can” feature. If this is an esoteric matter, then I can live without it. Thanks for the context.

Not really esoteric, just community driven really. We run it at OSC on some systems - but it kind of works for us, so for other cases like this we really rely on the community supplying patches.

You can’t change NFS mount context outside of changing the mount options. When NFS gets a context the entire NFS mount will have the same context based on the mount options. We do support ondemand_use_nfs SELinux boolean to allow OnDemand to access NFS.

https://osc.github.io/ood-documentation/latest/installation/modify-system-security.html

That boolean should be on by default, so if it’s not working then our boolean doesn’t handle the context you used for the NFS mount. The system I tested NFS mounts on uses autofs to mount NFS and when mounted it looks like this:

$ ls -laZ /users/
<SNIP>
drwxr-xr-x.  9 root root system_u:object_r:nfs_t:s0    4096 Nov 28  2023 sysp

When you mount /lab using NFS you can pass mount option like this:

mount -t nfs -o ...,context="system_u:object_r:nfs_t:s0"... device:path /lab

I thought NFS mounts by default would use nfs_t but seems your’s is not for some reason.

Thanks for the followup. Actually, /lab is the parent directory of mount points, and it looks like

ls -lZd /lab

drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 18 Feb 18 16:30 /lab

A sample mount within there does show “nfs_t”:

ls -lZd /lab/sample

drwxrwsr-x+ 265 system_u:object_r:nfs_t:s0 16384 Feb 17 16:23 /lab/sample

Do you think that running

semanage fcontext -a -t nfs_t ‘lab’

would fix my situation?

I believe that semanage command would do the trick plus a restorecon. Example:

[root@webdev02 ~]# mkdir /lab
[root@webdev02 ~]# ls -laZ /lab
total 8
drwxr-xr-x.  2 root root unconfined_u:object_r:default_t:s0 4096 Feb 20 10:53 .
dr-xr-xr-x. 22 root root system_u:object_r:root_t:s0        4096 Feb 20 10:53 ..
[root@webdev02 ~]# semanage fcontext -a -t nfs_t /lab
[root@webdev02 ~]# restorecon -v /lab
Relabeled /lab from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:nfs_t:s0
[root@webdev02 ~]# ls -laZ /lab
total 8
drwxr-xr-x.  2 root root unconfined_u:object_r:nfs_t:s0 4096 Feb 20 10:53 .
dr-xr-xr-x. 22 root root system_u:object_r:root_t:s0    4096 Feb 20 10:53 ..
[root@webdev02 ~]# semanage fcontext -a -t nfs_t -s system_u /lab
File context for /lab already defined, modifying instead
[root@webdev02 ~]# restorecon -vF /lab
Relabeled /lab from unconfined_u:object_r:default_t:s0 to system_u:object_r:nfs_t:s0
[root@webdev02 ~]# ls -laZ /lab
total 8
drwxr-xr-x.  2 root root system_u:object_r:nfs_t:s0  4096 Feb 20 10:57 .
dr-xr-xr-x. 22 root root system_u:object_r:root_t:s0 4096 Feb 20 10:57 ..

So I think what you’ll want is

semanage fcontext -a -t nfs_t -s system_u /lab
restorecon -vF /lab

That did it. Just to be sure, I rebooted the server, and it still worked. Thank you for your help. I appreciate it greatly.