General Information

This page covers the Network Services objectives, specifically for NFS.

Network Services Objectives

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

The following virtual machines will be used:

• server1.example.com (192.168.1.150) → Perform all NFS client tests from here
• server2.example.com (192.168.1.151) → Install the NFS server here

Install the service

yum install nfs-utils

• Service agnostic → Ensure SELinux is running and enabled (RHCSA objective).
• IMPORTANT: View all label types

  # Install package
  yum install setools-console
   
  # View all label types
  seinfo -t
   
  # Find NFS types
  seinfo -t | grep nfs

Configuring the <service-name> with a non standard port and allowing port access with selinux.

NOTE: “man semanage-port” has examples for allowing non-standard ports!

Check Current Service Status

systemctl status nfs-server

• Also displays if the service is enabled or disabled

Enabling a service to start on boot

systemctl enable nfs-server

Enable and Start the service

systemctl enable nfs-server
systemctl start nfs-server

Allow access through the firewall to the NFS service

firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload

Allow access through the firewall to allow the showmount command from clients to work

firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mountd
firewall-cmd --reload

Configure host based access in /etc/exports

/data-share  *.example.com(ro)
 
/data-share2  192.168.1.0/24(rw)

• Hostname based and network based
• Others refused

Export modifications

exportfs -var

Default NFS security (sec=sys) is via IP addresses or hostname.

Kerberos can be used to provide user authentication to NFS services.