SELinux contexts with NFS shares

I'm trying to set up an NFS share between 2 CentOS servers (filesrv & websrv) for a folder that needs to be readable & writeable by the Apache process. I'm having trouble with the writeable side of this, which I've narrowed down to SELinux configuration: Apache can write to the share if I setenforce 0 on the NFS client.

The relevant line in the exports file for the NFS server is:

/data/files/sitefiles websrv(rw,sync,no_root_squash)

The SELinux context for the shared folder on the NFS server is:

system_u:object_r:httpd_sys_rw_content_t:s0

The entry in my fstab on the NFS client is:

filesrv:/data/files/sitefiles /var/www/html/webroot/files nfs context="system_u:object_r:httpd_sys_rw_content_t:s0" 0 0

As far as I can tell, this should mount the NFS share with the httpd_sys_rw_content_t context, but when I check it, it's actually:

system_u:object_r:httpd_sys_content_t:s0

What could be causing it to apply the stricter context to the share?

Solution 1:

The simple solution should be to use the SELinux boolean httpd_use_nfs to allow your webserver to display and write content stored on a NFS share:

setsebool -P httpd_use_nfs=1 

Solution 2:

This problem was occurring because I was mounting multiple NFS shares from the same server, not all of which had the same context.

As per the RedHat documentation on multiple NFS mounts, I needed to add nosharecache to my fstab line for the mounts. The correct SELinux context is then applied on a mount-by-mount basis.

The working line in my fstab is as follows:

filesrv:/data/files/sitefiles /var/www/html/webroot/files nfs nosharecache,context="system_u:object_r:httpd_sys_rw_content_t:s0" 0 0