Document link:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_and_using_network_file_services/deploying-an-nfs-server_configuring-and-using-network-file-services#deploying-an-nfs-server_configuring-and-using-network-file-services

Section number and name:
Chapter 2. Deploying an NFS server

Describe the issue:
Out of the box, nfs_export_all_rw and nfs_export_all_ro SELinux booleans are enabled. As a result SELinux type enforcement is bypassed by the NFS server for read/write and read/only file access.

This is OK for a default configuration but the documentation should mention that this is the case & explain how to modify these booleans and why you'd want to do so.

Suggestions for improvement:
A new section called something like "hardening an NFS server" which explains:

• (briefly) what SELinux is, that it is a good thing for security
• The NFS server bypasses enforcement of SELinux policy by default
• Policy enforcement can be enabled by permanently disabling nfs_export_all_rw and nfs_export_all_ro booleans
• Once this is done, NFS clients will no longer by able to modify and read (respectively) files unless they have the right label (and list some common labels, nfsd_fs_t for content that only NFS should access, public_content_t/public_content_rw_t for content that needs to be access by NFS and also httpd, etc)
• nfsd_anon_write should also be mentioned - disabled by default, enable to allow NFS to write to public_content_rw_t
• maybe reference the nfsd_selinux man page for more general info

Additional information: