From Fedora Project Wiki
(Replaced content with "https://fedoraproject.org/wiki/Changes/LabeledNFS")
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
= SELinux Labeled NFS Support <!-- The name of your feature --> =
https://fedoraproject.org/wiki/Changes/LabeledNFS
 
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
The Linux Kernel has grown support for passing SELinux labels between a client and server using NFS.
 
== Owner ==
<!--This should link to your home wiki page so we know who you are-->
* Name: [[User:dwalsh| Daniel Walsh]]
* Name: [[User:steved| Steve Dickson]]
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
* Email: <dwalsh@redhat.com>
 
== Current status ==
* Targeted release: [Fedora 20]
* Last updated: Jul 15 2013
* Percentage of completion: 50%
 
selinux-policy fixes are in Fedora 20.
NFS Support should be in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel
nfs-utils support
mount support?
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
We have always needed to treat NFS mounts with a single label usually something like nfs_t.  Or at best allow an administrator to override the default with
a label using the mount --context option.  With this change we have lots of different Labels supported on an NFS share.
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
 
There are two huge benefits for Fedora, in that currently we can not differentiate different labels on a single NFS mount point.  Applications like Secure Virtualization as launched by libvirt, can not set the label of an image file on an NFS share, so sVirt separation is severely weakened.  Similarly if you setup home
directories on an NFS share, then any confined application that needs to write a file in a home directory now can write any file on an NFS Share. 
 
With labeled NFS this vulnerability goes away.
 
== Scope ==
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
Turn on Labeled NFS in the Fedora Kernel,  Fix any policy issues that arise because of this.  I believe this is mainly a testing issue, and that the functionality is comeplet.
 
== How To Test ==
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
 
There are many different scenarios that have to be tested with this new functionality.
 
Basically with Labeled NFS we need to test with client and servers supporting LNFS and SELinux
 
SELinux Testing
 
SELinux Client LNFS - SELinux Server LNFS
SELinux Client LNFS - SELinux Server No LNFS
SELinux CLient LNFS - Server LNFS
SELinux CLient LNFS - Server No LNFS
Client LNFS - SELinux Server LNFS
Client LNFS - SELInux Server No LNFS
Client LNFS - Server LNFS
Client LNFS - Server no LNFS
Client no LNFS - SELinux Server LNFS
Client no LNFS - SELInux Server No LNFS
Client no LNFS - Server LNFS
Client no LNFS - Server no LNFS
 
Also need testing on three way.  IE You need two clients that support SELinux CLient NFS and change the label on one client, and make sure the other client sees the change.
 
 
 
 
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 
We can continue using what we always did, all clients labeled the same
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
 
 
== Comments and Discussion ==
* See [[Talk:Features/SELinuxSystemdAccessControl]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 
[[Category:FeaturePageIncomplete]]
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 14:11, 24 July 2013