SELinux-Support in Linux NFSv4.1 impl?

SELinux-Support in Linux NFSv4.1 impl?

[Martin Wege]

Hello,

Does the Linux implementation server&client for NFSv4.1 support SELinux?

Thanks,
Martin

Re: SELinux-Support in Linux NFSv4.1 impl?

[Jeff Layton]

On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> Hello,
> 
> Does the Linux implementation server&client for NFSv4.1 support SELinux?
> 
> 

Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
it.

-- 
Jeff Layton <jlayton@kernel.org>

Re: SELinux-Support in Linux NFSv4.1 impl?

[Martin Wege]

On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > Hello,
> >
> > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> >
> >
>
> Labeled NFS is a NFSv4.2 feature. The Linux client and server do support

Is there documentation on how to set this up? Will this work if the
root fs ('/') is NFSv4.2?

Thanks,
Martin

Re: SELinux-Support in Linux NFSv4.1 impl?

[Jeff Layton]

On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <jlayton@kernel.org> wrote:
> > 
> > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > Hello,
> > > 
> > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > 
> > > 
> > 
> > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> 
> Is there documentation on how to set this up? Will this work if the
> root fs ('/') is NFSv4.2?
> 

There isn't much to set up. If you mount using NFSv4.2, the client and
server should negotiate using SELinux (assuming both are SELinux
enabled) and the SELinux contexts should (mostly) be projected across
the wire.

I've not tested it with nfsroot support, but I don't see why it wouldn't
work.
-- 
Jeff Layton <jlayton@kernel.org>

Re: SELinux-Support in Linux NFSv4.1 impl?

[Jeff Layton]

On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <jlayton@kernel.org> wrote:
> > 
> > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <jlayton@kernel.org> wrote:
> > > > 
> > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > Hello,
> > > > > 
> > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > > 
> > > > > 
> > > > 
> > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > > 
> > > Is there documentation on how to set this up? Will this work if the
> > > root fs ('/') is NFSv4.2?
> > > 
> > 
> > There isn't much to set up. If you mount using NFSv4.2, the client and
> > server should negotiate using SELinux (assuming both are SELinux
> > enabled) and the SELinux contexts should (mostly) be projected across
> > the wire.
> 
> Jeff - as far as i know, while it is possible for the client to
> get/set the secure labels of files on the server - there is no way for
> the client to tell the server which user is performing the specific
> access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> work - only the 'Limited Server Mode' mode (i.e. only the client
> verifies the security labels - the server does not). please correct me
> if i'm wrong.
> 
> 

(re-cc'ing the mailing list...)

That is correct. I'm not aware of anyone having implented "Full mode" as
of yet anywhere.

The Linux server is a "dumb" labeled NFS server that just projects the
contexts to the clients and doesn't try to do any enforcement.
-- 
Jeff Layton <jlayton@kernel.org>

Re: SELinux-Support in Linux NFSv4.1 impl?

[Martin Wege]

On Sun, Feb 18, 2024 at 3:35 PM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> > On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <jlayton@kernel.org> wrote:
> > >
> > > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <jlayton@kernel.org> wrote:
> > > > >
> > > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > > Hello,
> > > > > >
> > > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > > >
> > > > > >
> > > > >
> > > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > > >
> > > > Is there documentation on how to set this up? Will this work if the
> > > > root fs ('/') is NFSv4.2?
> > > >
> > >
> > > There isn't much to set up. If you mount using NFSv4.2, the client and
> > > server should negotiate using SELinux (assuming both are SELinux
> > > enabled) and the SELinux contexts should (mostly) be projected across
> > > the wire.
> >
> > Jeff - as far as i know, while it is possible for the client to
> > get/set the secure labels of files on the server - there is no way for
> > the client to tell the server which user is performing the specific
> > access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> > work - only the 'Limited Server Mode' mode (i.e. only the client
> > verifies the security labels - the server does not). please correct me
> > if i'm wrong.
> >
> >
>
> (re-cc'ing the mailing list...)
>
> That is correct. I'm not aware of anyone having implented "Full mode" as
> of yet anywhere.
>
> The Linux server is a "dumb" labeled NFS server that just projects the
> contexts to the clients and doesn't try to do any enforcement.

Is this documented somehere? "NFSv4.2 SELinux HOWTO" maybe?

Thanks,
Martin

Re: SELinux-Support in Linux NFSv4.1 impl?

[Martin Wege]

?

On Mon, Feb 26, 2024 at 8:30 AM Martin Wege <martin.l.wege@gmail.com> wrote:
>
> On Sun, Feb 18, 2024 at 3:35 PM Jeff Layton <jlayton@kernel.org> wrote:
> >
> > On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> > > On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <jlayton@kernel.org> wrote:
> > > >
> > > > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <jlayton@kernel.org> wrote:
> > > > > >
> > > > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > > > >
> > > > > Is there documentation on how to set this up? Will this work if the
> > > > > root fs ('/') is NFSv4.2?
> > > > >
> > > >
> > > > There isn't much to set up. If you mount using NFSv4.2, the client and
> > > > server should negotiate using SELinux (assuming both are SELinux
> > > > enabled) and the SELinux contexts should (mostly) be projected across
> > > > the wire.
> > >
> > > Jeff - as far as i know, while it is possible for the client to
> > > get/set the secure labels of files on the server - there is no way for
> > > the client to tell the server which user is performing the specific
> > > access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> > > work - only the 'Limited Server Mode' mode (i.e. only the client
> > > verifies the security labels - the server does not). please correct me
> > > if i'm wrong.
> > >
> > >
> >
> > (re-cc'ing the mailing list...)
> >
> > That is correct. I'm not aware of anyone having implented "Full mode" as
> > of yet anywhere.
> >
> > The Linux server is a "dumb" labeled NFS server that just projects the
> > contexts to the clients and doesn't try to do any enforcement.
>
> Is this documented somehere? "NFSv4.2 SELinux HOWTO" maybe?
>
> Thanks,
> Martin

Re: SELinux-Support in Linux NFSv4.1 impl?

[Matt Kinni]

On 2024-02-17 at 06:37 (-0700), Martin Wege wrote:
> Is there documentation on how to set this up? Will this work if the
> root fs ('/') is NFSv4.2?

> 

Hi Martin,
On your server's /etc/exports add "security_label" like so:

    /srv  *(sec=krb5,security_label,ro,fsid=0)  (example)

On your client, make sure it is mounting with nfsvers=4.2

Run 'mount' on client to confirm "seclabel" is showing in the output,
and you will see the labels coming through with ls -Z


-- 
Matt