From: Dave Quigley <dpquigl@davequigley.com>
To: Steve Dickson <SteveD@redhat.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
"David P. Quigley" <selinux@davequigley.com>,
trond.myklebust@netapp.com, sds@tycho.nsa.gov,
linux-nfs@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: Labeled NFS [v5]
Date: Tue, 13 Nov 2012 23:32:53 -0500 [thread overview]
Message-ID: <50A31EF5.1050801@davequigley.com> (raw)
In-Reply-To: <50A24345.8080309@RedHat.com>
[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]
On 11/13/2012 7:55 AM, Steve Dickson wrote:
>
>
> On 12/11/12 20:39, Dave Quigley wrote:
>> If you're ok with non Fedora kernel images I can try to put up a tree either tonight or tomorrow with the patches that you just need to build and install. That plus the one patch for nfs-utils should make everything work.
> I'm good with that....
>
> steved.
>
Ok so if you go to http://www.selinuxproject.org/git you will see a repo
for lnfs and lnfs-patchset. The instructions at
http://www.selinuxproject.org/page/Labeled_NFS give you a better
indication on how to pull the trees. I've attached a patch for NFS utils
which gives support for security_label/nosecurity_label in your
/etc/exports file. I've also attached a script called setup which should
build a test directory called /export with a copy of /var/www under it
which should be labeled properly. It does all the proper SELinux
commands to make sure labeling is correct. Once you have that setup just
mount -t nfs localhost:/ /mnt/lnfs (or wherever you want) and you should
be good to go. Just ls -Z in /mnt/lnfs/var and check to make sure the
labels are the same as /export/var. It should have the labels showing up
in the network transfer. If you have any problems just let me know and I
can try to help figure them out.
Dave
[-- Attachment #2: 0001-Add-support-to-specify-which-exports-will-provide-La.patch --]
[-- Type: text/plain, Size: 2397 bytes --]
>From da84919c6957090cd961bb4ce40753820312a845 Mon Sep 17 00:00:00 2001
From: Dave Quigley <dpquigl@taiga.selinuxproject.org>
Date: Fri, 18 Sep 2009 08:53:58 -0700
Subject: [PATCH] Add support to specify which exports will provide Labeled NFS support.
diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h
index 1547a87..b8e2fb0 100644
--- a/support/include/nfs/export.h
+++ b/support/include/nfs/export.h
@@ -17,7 +17,8 @@
#define NFSEXP_ALLSQUASH 0x0008
#define NFSEXP_ASYNC 0x0010
#define NFSEXP_GATHERED_WRITES 0x0020
-/* 40, 80, 100 unused */
+#define NFSEXP_SECURITY_LABEL 0x0040 /* Support MAC attribute */
+/* 80, 100 unused */
#define NFSEXP_NOHIDE 0x0200
#define NFSEXP_NOSUBTREECHECK 0x0400
#define NFSEXP_NOAUTHNLM 0x0800
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index a93941c..8965c8d 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -239,6 +239,8 @@ putexportent(struct exportent *ep)
fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : "");
fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)?
"" : "no_");
+ fprintf(fp, "%ssecurity_label,", (ep->e_flags & NFSEXP_SECURITY_LABEL)?
+ "" : "no");
fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_NOHIDE)?
"no" : "");
fprintf(fp, "%scrossmnt,", (ep->e_flags & NFSEXP_CROSSMOUNT)?
@@ -531,6 +533,10 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr)
setflags(NFSEXP_GATHERED_WRITES, active, ep);
else if (!strcmp(opt, "no_wdelay"))
clearflags(NFSEXP_GATHERED_WRITES, active, ep);
+ else if (strcmp(opt, "security_label") == 0)
+ ep->e_flags |= NFSEXP_SECURITY_LABEL;
+ else if (strcmp(opt, "nosecurity_label") == 0)
+ ep->e_flags &= ~NFSEXP_SECURITY_LABEL;
else if (strcmp(opt, "root_squash") == 0)
setflags(NFSEXP_ROOTSQUASH, active, ep);
else if (!strcmp(opt, "no_root_squash"))
diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
index b78957f..6434825 100644
--- a/utils/exportfs/exportfs.c
+++ b/utils/exportfs/exportfs.c
@@ -531,6 +531,8 @@ dump(int verbose)
c = dumpopt(c, "async");
if (ep->e_flags & NFSEXP_GATHERED_WRITES)
c = dumpopt(c, "wdelay");
+ if (ep->e_flags & NFSEXP_SECURITY_LABEL)
+ c = dumpopt(c, "security_label");
if (ep->e_flags & NFSEXP_NOHIDE)
c = dumpopt(c, "nohide");
if (ep->e_flags & NFSEXP_CROSSMOUNT)
[-- Attachment #3: setup.sh --]
[-- Type: text/plain, Size: 324 bytes --]
#!/bin/bash
mkdir /export
semanage fcontext -a -t mnt_t /export
mkdir /export/var
cp -R /var/www /export/var
semanage fcontext -ae /var /export/var
restorecon -R /export
echo "/export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync, no_root_squash)" >> /etc/exports
systemctl restart nfs-server.service
WARNING: multiple messages have this Message-ID (diff)
From: Dave Quigley <dpquigl@davequigley.com>
To: Steve Dickson <SteveD@redhat.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
"David P. Quigley" <selinux@davequigley.com>,
trond.myklebust@netapp.com, sds@tycho.nsa.gov,
linux-nfs@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: Labeled NFS [v5]
Date: Tue, 13 Nov 2012 23:32:53 -0500 [thread overview]
Message-ID: <50A31EF5.1050801@davequigley.com> (raw)
In-Reply-To: <50A24345.8080309@RedHat.com>
[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]
On 11/13/2012 7:55 AM, Steve Dickson wrote:
>
>
> On 12/11/12 20:39, Dave Quigley wrote:
>> If you're ok with non Fedora kernel images I can try to put up a tree either tonight or tomorrow with the patches that you just need to build and install. That plus the one patch for nfs-utils should make everything work.
> I'm good with that....
>
> steved.
>
Ok so if you go to http://www.selinuxproject.org/git you will see a repo
for lnfs and lnfs-patchset. The instructions at
http://www.selinuxproject.org/page/Labeled_NFS give you a better
indication on how to pull the trees. I've attached a patch for NFS utils
which gives support for security_label/nosecurity_label in your
/etc/exports file. I've also attached a script called setup which should
build a test directory called /export with a copy of /var/www under it
which should be labeled properly. It does all the proper SELinux
commands to make sure labeling is correct. Once you have that setup just
mount -t nfs localhost:/ /mnt/lnfs (or wherever you want) and you should
be good to go. Just ls -Z in /mnt/lnfs/var and check to make sure the
labels are the same as /export/var. It should have the labels showing up
in the network transfer. If you have any problems just let me know and I
can try to help figure them out.
Dave
[-- Attachment #2: 0001-Add-support-to-specify-which-exports-will-provide-La.patch --]
[-- Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2012-11-14 4:32 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-12 6:15 Labeled NFS [v5] David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 01/13] Security: Add hook to calculate context based on a negative dentry David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 12:13 ` J. Bruce Fields
2012-11-12 14:52 ` Dave Quigley
2012-11-12 14:52 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 12:15 ` J. Bruce Fields
2012-11-12 14:56 ` Dave Quigley
2012-11-12 14:56 ` Dave Quigley
2012-11-12 16:36 ` J. Bruce Fields
2012-11-12 19:36 ` David P. Quigley
2012-11-12 19:36 ` David P. Quigley
2012-11-12 21:43 ` J. Bruce Fields
2012-11-13 0:12 ` Dave Quigley
2012-11-13 0:12 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 03/13] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 04/13] SELinux: Add new labeling type native labels David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 14:45 ` J. Bruce Fields
2012-11-12 14:57 ` Dave Quigley
2012-11-12 14:57 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 06/13] NFSv4: Add label recommended attribute and NFSv4 flags David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 07/13] NFSv4: Introduce new label structure David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 15:13 ` J. Bruce Fields
2012-11-12 15:32 ` David P. Quigley
2012-11-12 15:32 ` David P. Quigley
2012-11-12 16:05 ` J. Bruce Fields
2012-11-12 16:53 ` David P. Quigley
2012-11-12 16:53 ` David P. Quigley
2012-11-12 17:50 ` J. Bruce Fields
2012-11-12 6:15 ` [PATCH 08/13] NFSv4: Extend fattr bitmaps to support all 3 words David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 09/13] NFS:Add labels to client function prototypes David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 10/13] NFS: Add label lifecycle management David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 15:33 ` J. Bruce Fields
2012-11-12 15:36 ` David P. Quigley
2012-11-12 15:36 ` David P. Quigley
2012-11-12 6:15 ` [PATCH 11/13] NFS: Client implementation of Labeled-NFS David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 12/13] NFS: Extend NFS xattr handlers to accept the security namespace David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 13/13] NFSD: Server implementation of MAC Labeling David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 16:31 ` J. Bruce Fields
2012-11-12 15:23 ` Labeled NFS [v5] J. Bruce Fields
2012-11-12 15:34 ` David P. Quigley
2012-11-12 15:34 ` David P. Quigley
2012-11-12 16:09 ` J. Bruce Fields
2012-11-12 20:56 ` Steve Dickson
2012-11-13 1:39 ` Dave Quigley
2012-11-13 1:39 ` Dave Quigley
2012-11-13 12:55 ` Steve Dickson
2012-11-14 4:32 ` Dave Quigley [this message]
2012-11-14 4:32 ` Dave Quigley
2012-11-14 13:45 ` J. Bruce Fields
2012-11-14 13:50 ` David Quigley
2012-11-14 13:50 ` David Quigley
2012-11-14 13:59 ` J. Bruce Fields
2012-11-14 14:01 ` David Quigley
2012-11-14 14:01 ` David Quigley
2012-11-14 14:04 ` David Quigley
2012-11-14 14:04 ` David Quigley
2012-11-14 14:24 ` J. Bruce Fields
2012-11-14 14:30 ` David Quigley
2012-11-14 14:30 ` David Quigley
2012-11-15 16:00 ` Casey Schaufler
2012-11-15 16:00 ` Casey Schaufler
2012-11-15 20:28 ` David Quigley
2012-11-15 20:28 ` David Quigley
2012-11-16 3:34 ` Casey Schaufler
2012-11-16 3:34 ` Casey Schaufler
2012-11-16 3:43 ` David Quigley
2012-11-16 3:43 ` David Quigley
2012-11-16 4:58 ` Dave Quigley
2012-11-16 4:58 ` Dave Quigley
2012-11-16 4:59 ` Dave Quigley
2012-11-16 4:59 ` Dave Quigley
2012-11-14 13:56 ` David Quigley
2012-11-14 13:56 ` David Quigley
2012-11-12 16:33 ` J. Bruce Fields
2012-11-12 20:44 ` Dave Quigley
2012-11-12 20:44 ` Dave Quigley
2012-11-12 22:23 ` Casey Schaufler
2012-11-12 22:23 ` Casey Schaufler
2012-11-13 3:16 ` Dave Quigley
2012-11-13 3:16 ` Dave Quigley
2012-11-20 21:09 ` Casey Schaufler
2012-11-20 21:09 ` Casey Schaufler
2012-11-21 0:04 ` Dave Quigley
2012-11-21 0:04 ` Dave Quigley
2012-11-21 0:29 ` Dave Quigley
2012-11-21 0:29 ` Dave Quigley
2012-11-21 0:32 ` Casey Schaufler
2012-11-21 0:32 ` Casey Schaufler
2012-11-21 0:37 ` Dave Quigley
2012-11-21 0:37 ` Dave Quigley
2012-11-21 2:52 ` Casey Schaufler
2012-11-21 2:52 ` Casey Schaufler
2012-11-21 3:28 ` Dave Quigley
2012-11-21 3:28 ` Dave Quigley
2012-11-28 18:57 ` Casey Schaufler
2012-11-29 1:14 ` Dave Quigley
2012-11-29 1:14 ` Dave Quigley
2012-11-29 2:08 ` Casey Schaufler
2012-11-29 22:28 ` Casey Schaufler
2012-11-29 22:28 ` Casey Schaufler
2012-11-29 22:49 ` David Quigley
2012-11-29 22:49 ` David Quigley
2012-11-30 0:02 ` David Quigley
2012-11-30 0:02 ` David Quigley
2012-11-30 0:07 ` David Quigley
2012-11-30 0:07 ` David Quigley
2012-11-30 0:34 ` Casey Schaufler
2012-11-30 0:34 ` Casey Schaufler
2012-11-30 0:46 ` David Quigley
2012-11-30 0:46 ` David Quigley
2012-11-30 1:50 ` Casey Schaufler
2012-11-30 1:50 ` Casey Schaufler
2012-11-30 2:02 ` David Quigley
2012-11-30 2:02 ` David Quigley
2012-11-30 12:14 ` J. Bruce Fields
2012-11-30 12:57 ` David Quigley
2012-11-30 12:57 ` David Quigley
2012-11-30 13:17 ` David Quigley
2012-11-30 13:17 ` David Quigley
2012-11-30 13:28 ` Stephen Smalley
2012-11-30 13:28 ` Stephen Smalley
2012-11-30 13:35 ` David Quigley
2012-11-30 13:35 ` David Quigley
2012-11-30 13:50 ` Stephen Smalley
2012-11-30 13:50 ` Stephen Smalley
2012-11-30 14:02 ` David Quigley
2012-11-30 14:02 ` David Quigley
2012-11-30 16:21 ` Casey Schaufler
2012-11-30 16:21 ` Casey Schaufler
2012-11-30 16:28 ` David Quigley
2012-11-30 16:28 ` David Quigley
2012-12-03 18:27 ` Casey Schaufler
2012-12-03 18:27 ` Casey Schaufler
2012-11-30 16:55 ` J. Bruce Fields
2012-11-30 16:59 ` David Quigley
2012-11-30 16:59 ` David Quigley
2012-11-30 13:20 ` David Quigley
2012-11-30 13:20 ` David Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A31EF5.1050801@davequigley.com \
--to=dpquigl@davequigley.com \
--cc=SteveD@redhat.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@davequigley.com \
--cc=selinux@tycho.nsa.gov \
--cc=trond.myklebust@netapp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.