Hello,
Does the Linux implementation server&client for NFSv4.1 support SELinux?
Thanks,
Martin
On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> Hello,
>
> Does the Linux implementation server&client for NFSv4.1 support SELinux?
>
>
Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
it.
--
Jeff Layton <[email protected]>
On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
>
> On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > Hello,
> >
> > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> >
> >
>
> Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
Is there documentation on how to set this up? Will this work if the
root fs ('/') is NFSv4.2?
Thanks,
Martin
On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
> >
> > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > Hello,
> > >
> > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > >
> > >
> >
> > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
>
> Is there documentation on how to set this up? Will this work if the
> root fs ('/') is NFSv4.2?
>
There isn't much to set up. If you mount using NFSv4.2, the client and
server should negotiate using SELinux (assuming both are SELinux
enabled) and the SELinux contexts should (mostly) be projected across
the wire.
I've not tested it with nfsroot support, but I don't see why it wouldn't
work.
--
Jeff Layton <[email protected]>
On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <[email protected]> wrote:
> >
> > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
> > > >
> > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > Hello,
> > > > >
> > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > >
> > > > >
> > > >
> > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > >
> > > Is there documentation on how to set this up? Will this work if the
> > > root fs ('/') is NFSv4.2?
> > >
> >
> > There isn't much to set up. If you mount using NFSv4.2, the client and
> > server should negotiate using SELinux (assuming both are SELinux
> > enabled) and the SELinux contexts should (mostly) be projected across
> > the wire.
>
> Jeff - as far as i know, while it is possible for the client to
> get/set the secure labels of files on the server - there is no way for
> the client to tell the server which user is performing the specific
> access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> work - only the 'Limited Server Mode' mode (i.e. only the client
> verifies the security labels - the server does not). please correct me
> if i'm wrong.
>
>
(re-cc'ing the mailing list...)
That is correct. I'm not aware of anyone having implented "Full mode" as
of yet anywhere.
The Linux server is a "dumb" labeled NFS server that just projects the
contexts to the clients and doesn't try to do any enforcement.
--
Jeff Layton <[email protected]>
On Sun, Feb 18, 2024 at 3:35 PM Jeff Layton <[email protected]> wrote:
>
> On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> > On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <[email protected]> wrote:
> > >
> > > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
> > > > >
> > > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > > Hello,
> > > > > >
> > > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > > >
> > > > > >
> > > > >
> > > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > > >
> > > > Is there documentation on how to set this up? Will this work if the
> > > > root fs ('/') is NFSv4.2?
> > > >
> > >
> > > There isn't much to set up. If you mount using NFSv4.2, the client and
> > > server should negotiate using SELinux (assuming both are SELinux
> > > enabled) and the SELinux contexts should (mostly) be projected across
> > > the wire.
> >
> > Jeff - as far as i know, while it is possible for the client to
> > get/set the secure labels of files on the server - there is no way for
> > the client to tell the server which user is performing the specific
> > access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> > work - only the 'Limited Server Mode' mode (i.e. only the client
> > verifies the security labels - the server does not). please correct me
> > if i'm wrong.
> >
> >
>
> (re-cc'ing the mailing list...)
>
> That is correct. I'm not aware of anyone having implented "Full mode" as
> of yet anywhere.
>
> The Linux server is a "dumb" labeled NFS server that just projects the
> contexts to the clients and doesn't try to do any enforcement.
Is this documented somehere? "NFSv4.2 SELinux HOWTO" maybe?
Thanks,
Martin