From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id q4BESdF8012557 for ; Fri, 11 May 2012 10:28:39 -0400 Message-ID: <4FAD2219.6090603@schaufler-ca.com> Date: Fri, 11 May 2012 07:28:41 -0700 From: Casey Schaufler MIME-Version: 1.0 To: zyxel CC: selinux@tycho.nsa.gov Subject: Re: labeled NFS References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------020301070802080604010702" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. --------------020301070802080604010702 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 5/11/2012 4:05 AM, zyxel wrote: > Hello. > > I have some questions about labeled NFS. > We have client and server systems running RHEL 6.1 > Kernels for both client and server were downloaded from > git://git.selinuxproject.org/~dpquigl/lnfs > > Kernel version is 2.6.32. and they are already patched to support > labeled NFS. > Server is configured to export NFS share. Nfs-utils on server are > patched for labeled nfs too. > > Here is listing for server exports file: > /export > *(rw,fsid=0,sec=unix,insecure,no_subtree_check,sync,security_label) > > Client and server have the same MLS policy. > > If I mount NFS share with command > #mount -t nfs4 server:/ /mnt/nfsv4 > everything works good, but when i try to mount the same share to > another directory > #mount -t nfs4 server:/ /mnt/nfsv4_2 > it fails with: > > Message from syslogd@localhost at May 11 13:07:17 ... > kernel:Oops: 0000 [#1] SMP > > Message from syslogd@localhost at May 11 13:07:17 ... > kernel:last sysfs file: /sys/devices/virtual/block/dm-0/dev > > Message from syslogd@localhost at May 11 13:07:17 ... > kernel:Stack: An "Oops" indicates that a component of the kernel had a fatal error, but that it only affected the current process or device and the kernel was able to continue otherwise. Use dmesg to see the kernel log. Any number of issues, from misconfiguration to just plain bad code could have caused your problem. There is not enough information in your email to do much diagnosis. > > Why does it happens? Where I can get more information about that. > > The second question is that maybe I don't need labeled NFS. > My task is to transfer security levels between client and server over NFS > so that client with security level s0, for example, couldn't get > access to file with level s1 on NFS share. > I don't know if it may be done with netlabel or something. > Could you help me a bit. > > Andrei --------------020301070802080604010702 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 5/11/2012 4:05 AM, zyxel wrote:
Hello.

I have some questions about labeled NFS.
We have client and server systems running RHEL 6.1
Kernels for both client and server were downloaded from git://git.selinuxproject.org/~dpquigl/lnfs
Kernel version is 2.6.32. and they are already patched to support labeled NFS.
Server is configured to export NFS share. Nfs-utils on server are patched for labeled nfs too.

Here is listing for server exports file:
/export *(rw,fsid=0,sec=unix,insecure,no_subtree_check,sync,security_label)

Client and server have the same MLS policy.

If I mount NFS share with command
 #mount -t nfs4 server:/ /mnt/nfsv4
everything works good, but when i try to mount the same share to another directory
 #mount -t nfs4 server:/ /mnt/nfsv4_2
it fails with:

Message from syslogd@localhost at May 11 13:07:17 ...
kernel:Oops: 0000 [#1] SMP
 
Message from syslogd@localhost at May 11 13:07:17 ...
kernel:last sysfs file: /sys/devices/virtual/block/dm-0/dev
 
Message from syslogd@localhost at May 11 13:07:17 ...
kernel:Stack:

An "Oops" indicates that a component of the kernel had a fatal
error, but that it only affected the current process or device
and the kernel was able to continue otherwise.

Use dmesg to see the kernel log. Any number of issues, from
misconfiguration to just plain bad code could have caused your
problem. There is not enough information in your email to do
much diagnosis.

Why does it happens? Where I can get more information about that.

The second question is that maybe I don't need labeled NFS.
My task is to transfer security levels between client and server over NFS
so that client with security level s0, for example, couldn't get access to file with level s1 on NFS share.
I don't know if it may be done with netlabel or something.
Could you help me a bit.

Andrei

--------------020301070802080604010702-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.