Hi folks,
I would like to know if somebody can comment on the following
regarding labeled NFS.
RFC 7569 talks about Label formats and specifically lists that "0" is
a reserved value.
Using labeled NFS with SElinux and looking at labels (in wireshark),
the selinux sends sends/sets label format as 0 (ie. this is a reserved
value according to the spec)
So we have labelformat_spec4 set to 0 where the spec says this field
"The LFS and the Security Label Format Selection Registry are
described in detail in [RFC7569]". It's unlikely that "0" reserved
for Selinux and not explicitly specified there?
0 seems to be a good choice for using as a default label which the
RFC7862 vaguely talks about (though says nothing about the format for
a default label).
I'm not aware if Selinux is supposed to follow a spec and therefore I
don't think it is obligated to follow the rules of RFC 7569. Anybody
can comment how labeled NFS label format and SElinux label format
choice are supposed to co-exist?
Thank you.
> On Nov 5, 2020, at 11:47 AM, Olga Kornievskaia <[email protected]> wrote:
>
> Hi folks,
>
> I would like to know if somebody can comment on the following
> regarding labeled NFS.
>
> RFC 7569 talks about Label formats and specifically lists that "0" is
> a reserved value.
>
> Using labeled NFS with SElinux and looking at labels (in wireshark),
> the selinux sends sends/sets label format as 0 (ie. this is a reserved
> value according to the spec)
>
> So we have labelformat_spec4 set to 0 where the spec says this field
> "The LFS and the Security Label Format Selection Registry are
> described in detail in [RFC7569]". It's unlikely that "0" reserved
> for Selinux and not explicitly specified there?
>
> 0 seems to be a good choice for using as a default label which the
> RFC7862 vaguely talks about (though says nothing about the format for
> a default label).
>
> I'm not aware if Selinux is supposed to follow a spec and therefore I
> don't think it is obligated to follow the rules of RFC 7569. Anybody
> can comment how labeled NFS label format and SElinux label format
> choice are supposed to co-exist?
>
> Thank you.
Hi Olga,
The SELinux implementation of Labeled NFS is not spec compliant.
There are two paths forward:
1) Fix the implementation to be spec compliant.
2) File an errata to RFC 7569 to allow 0 to be assigned to the SELinux implementation.
The argument against 1) is that there are existing deployments of servers and clients which will be incompatible.
Thanks,
Tom