| Line 89: | Line 89: | ||
== Comments and Discussion == | == Comments and Discussion == | ||
* See [[Talk:Features/ | * See [[Talk:Features/LabeledNFS]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | ||
[[Category: | [[Category:FeatureReadyForWrangler]] | ||
<!-- When your feature page is completed and ready for review --> | <!-- When your feature page is completed and ready for review --> | ||
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | ||
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | ||
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | ||
Revision as of 19:29, 15 July 2013
SELinux Labeled NFS Support
Summary
The Linux Kernel has grown support for passing SELinux labels between a client and server using NFS.
Owner
- Name: Daniel Walsh
- Name: Steve Dickson
- Email: <dwalsh@redhat.com>
Current status
- Targeted release: [Fedora 20]
- Last updated: Jul 15 2013
- Percentage of completion: 90%
- selinux-policy fixes are in Fedora 20.
- Labeled NFS Support is in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel
- nfs-utils support
- mount support
Detailed Description
We have always needed to treat NFS mounts with a single label usually something like nfs_t. Or at best allow an administrator to override the default with a label using the mount --context option. With this change we have lots of different Labels supported on an NFS share.
Benefit to Fedora
There are two huge benefits for Fedora, in that currently we can not differentiate different labels on a single NFS mount point. Applications like Secure Virtualization as launched by libvirt, can not set the label of an image file on an NFS share, so sVirt separation is severely weakened. Similarly if you setup home directories on an NFS share, then any confined application that needs to write a file in a home directory now can write any file on an NFS Share.
With labeled NFS this vulnerability goes away.
Scope
Turn on Labeled NFS in the Fedora Kernel, Fix any policy issues that arise because of this. I believe this is mainly a testing issue, and that the functionality is comeplet.
How To Test
Do to a bug in nfs-utils:
On the server you to start the server
service nfs start
Bring down the server
service nfs stop
Set the version
echo "+4.2" > /proc/fs/nfsd/versions
Then start the server again...
There are many different scenarios that have to be tested with this new functionality.
Basically with Labeled NFS we need to test with client and servers supporting LNFS and SELinux
SELinux Testing
- SELinux Client LNFS - SELinux Server LNFS
- SELinux Client LNFS - SELinux Server No LNFS
- SELinux CLient LNFS - Server LNFS
- SELinux CLient LNFS - Server No LNFS
- Client LNFS - SELinux Server LNFS
- Client LNFS - SELInux Server No LNFS
- Client LNFS - Server LNFS
- Client LNFS - Server no LNFS
- Client no LNFS - SELinux Server LNFS
- Client no LNFS - SELInux Server No LNFS
- Client no LNFS - Server LNFS
- Client no LNFS - Server no LNFS
Also need testing on three way. IE You need two clients that support SELinux CLient NFS and change the label on one client, and make sure the other client sees the change.
Contingency Plan
We can continue using what we always did, all clients labeled the same