2024-02-14 10:04:28

by Martin Wege

[permalink] [raw]
Subject: SELinux-Support in Linux NFSv4.1 impl?

Hello,

Does the Linux implementation server&client for NFSv4.1 support SELinux?

Thanks,
Martin


2024-02-14 11:28:52

by Jeff Layton

[permalink] [raw]
Subject: Re: SELinux-Support in Linux NFSv4.1 impl?

On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> Hello,
>
> Does the Linux implementation server&client for NFSv4.1 support SELinux?
>
>

Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
it.

--
Jeff Layton <[email protected]>

2024-02-17 13:38:27

by Martin Wege

[permalink] [raw]
Subject: Re: SELinux-Support in Linux NFSv4.1 impl?

On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
>
> On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > Hello,
> >
> > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> >
> >
>
> Labeled NFS is a NFSv4.2 feature. The Linux client and server do support

Is there documentation on how to set this up? Will this work if the
root fs ('/') is NFSv4.2?

Thanks,
Martin

2024-02-18 13:56:18

by Jeff Layton

[permalink] [raw]
Subject: Re: SELinux-Support in Linux NFSv4.1 impl?

On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
> >
> > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > Hello,
> > >
> > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > >
> > >
> >
> > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
>
> Is there documentation on how to set this up? Will this work if the
> root fs ('/') is NFSv4.2?
>

There isn't much to set up. If you mount using NFSv4.2, the client and
server should negotiate using SELinux (assuming both are SELinux
enabled) and the SELinux contexts should (mostly) be projected across
the wire.

I've not tested it with nfsroot support, but I don't see why it wouldn't
work.
--
Jeff Layton <[email protected]>

2024-02-18 14:35:06

by Jeff Layton

[permalink] [raw]
Subject: Re: SELinux-Support in Linux NFSv4.1 impl?

On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <[email protected]> wrote:
> >
> > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
> > > >
> > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > Hello,
> > > > >
> > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > >
> > > > >
> > > >
> > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > >
> > > Is there documentation on how to set this up? Will this work if the
> > > root fs ('/') is NFSv4.2?
> > >
> >
> > There isn't much to set up. If you mount using NFSv4.2, the client and
> > server should negotiate using SELinux (assuming both are SELinux
> > enabled) and the SELinux contexts should (mostly) be projected across
> > the wire.
>
> Jeff - as far as i know, while it is possible for the client to
> get/set the secure labels of files on the server - there is no way for
> the client to tell the server which user is performing the specific
> access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> work - only the 'Limited Server Mode' mode (i.e. only the client
> verifies the security labels - the server does not). please correct me
> if i'm wrong.
>
>

(re-cc'ing the mailing list...)

That is correct. I'm not aware of anyone having implented "Full mode" as
of yet anywhere.

The Linux server is a "dumb" labeled NFS server that just projects the
contexts to the clients and doesn't try to do any enforcement.
--
Jeff Layton <[email protected]>

2024-02-26 07:30:08

by Martin Wege

[permalink] [raw]
Subject: Re: SELinux-Support in Linux NFSv4.1 impl?

On Sun, Feb 18, 2024 at 3:35 PM Jeff Layton <[email protected]> wrote:
>
> On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> > On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <[email protected]> wrote:
> > >
> > > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <[email protected]> wrote:
> > > > >
> > > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > > Hello,
> > > > > >
> > > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > > >
> > > > > >
> > > > >
> > > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > > >
> > > > Is there documentation on how to set this up? Will this work if the
> > > > root fs ('/') is NFSv4.2?
> > > >
> > >
> > > There isn't much to set up. If you mount using NFSv4.2, the client and
> > > server should negotiate using SELinux (assuming both are SELinux
> > > enabled) and the SELinux contexts should (mostly) be projected across
> > > the wire.
> >
> > Jeff - as far as i know, while it is possible for the client to
> > get/set the secure labels of files on the server - there is no way for
> > the client to tell the server which user is performing the specific
> > access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> > work - only the 'Limited Server Mode' mode (i.e. only the client
> > verifies the security labels - the server does not). please correct me
> > if i'm wrong.
> >
> >
>
> (re-cc'ing the mailing list...)
>
> That is correct. I'm not aware of anyone having implented "Full mode" as
> of yet anywhere.
>
> The Linux server is a "dumb" labeled NFS server that just projects the
> contexts to the clients and doesn't try to do any enforcement.

Is this documented somehere? "NFSv4.2 SELinux HOWTO" maybe?

Thanks,
Martin