From Fedora Project Wiki
Line 92: Line 92:
In the beginning this will be turned off by default so updating a system from an older Fedora should continue to run, with nfs mounts treated as nfs_t, by SELinux.
In the beginning this will be turned off by default so updating a system from an older Fedora should continue to run, with nfs mounts treated as nfs_t, by SELinux.


== How To Test ==
== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  

Revision as of 14:08, 24 July 2013


Enable SELinux Labeled NFS Support

Summary

The Linux Kernel has grown support for passing SELinux labels between a client and server using NFS.

Owner

  • Email: <dwalsh@redhat.com>
  • Email: <steved@redhat.com>

Current status

  • Targeted release: [Fedora 20]
  • Last updated: Jul 24 2013
  • Tracker bug: <will be assigned by the Wrangler>
  • Percentage of completion: 90%


Detailed Description

We have always needed to treat NFS mounts with a single label usually something like nfs_t. Or at best allow an administrator to override the default with a label using the mount --context option. With this change we have lots of different Labels supported on an NFS share.

Benefit to Fedora

There are two huge benefits for Fedora, in that currently we can not differentiate different labels on a single NFS mount point. Applications like Secure Virtualization as launched by libvirt, can not set the label of an image file on an NFS share, so sVirt separation is severely weakened. Similarly if you setup home directories on an NFS share, then any confined application that needs to write a file in a home directory now can write any file on an NFS Share.

With labeled NFS this vulnerability goes away.

Scope

  • Proposal owners:
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Turn on Labeled NFS in the Fedora Kernel, Fix any policy issues that arise because of this. I believe this is mainly a testing issue, and that the functionality is comeplete.

Upgrade/compatibility impact

In the beginning this will be turned off by default so updating a system from an older Fedora should continue to run, with nfs mounts treated as nfs_t, by SELinux.

How To Test

Do to a bug in nfs-utils:

  • Server Side

Start/Stop nfs server.

   systemctl start nfs
   systemctl stop nfs

Set the version

   echo "+4.2" > /proc/fs/nfsd/versions

Start Server Again

   systemctl start nfs
  • Client Side
   mount  -o v4.2 server:mntpoint localmountpoint

There are many different scenarios that have to be tested with this new functionality.

Basically with Labeled NFS we need to test with client and servers supporting LNFS and SELinux

SELinux Testing

  • SELinux Client LNFS - SELinux Server LNFS
  • SELinux Client LNFS - SELinux Server No LNFS
  • SELinux CLient LNFS - Server LNFS
  • SELinux CLient LNFS - Server No LNFS
  • Client LNFS - SELinux Server LNFS
  • Client LNFS - SELInux Server No LNFS
  • Client LNFS - Server LNFS
  • Client LNFS - Server no LNFS
  • Client no LNFS - SELinux Server LNFS
  • Client no LNFS - SELInux Server No LNFS
  • Client no LNFS - Server LNFS
  • Client no LNFS - Server no LNFS

Also need testing on three way. IE You need two clients that support SELinux CLient NFS and change the label on one client, and make sure the other client sees the change.

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

We can continue using what we always did, all clients labeled the same

Documentation

Release Notes

Comments and Discussion