< Changes
| (13 intermediate revisions by 2 users not shown) | |||
| Line 47: | Line 47: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998566 #998566] | ||
** selinux-policy fixes are in Fedora 20. | ** selinux-policy fixes are in Fedora 20. | ||
** Labeled NFS Support is in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel | ** Labeled NFS Support is in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel | ||
| Line 74: | Line 73: | ||
* Proposal owners: | * Proposal owners: | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
**Steve Dickson needs to make sure nfs-utils works properly. | |||
* Other developers: | **Dan Walsh needs to make sure selinux-policy works properly in all use cases. | ||
* Other developers: Kernel <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | |||
<!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
Turn on Labeled NFS in the Fedora Kernel, Fix any policy issues that arise because of this. I believe this is mainly a testing issue, and that the functionality is comeplete. | |||
* Release engineering: N/A ( | * Release engineering: N/A (No changes for Release Engineering) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuid required? If a rel-eng ticket exists, add a link here. --> | <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuid required? If a rel-eng ticket exists, add a link here. --> | ||
* Policies and guidelines: N/A (not | * Policies and guidelines: N/A (not affected) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | <!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | ||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
| Line 111: | Line 109: | ||
* Server Side | * Server Side | ||
Add RPCNFSDARGS="-V4.2" to /etc/sysconfig/nfs | |||
Start nfs service | |||
systemctl restart nfs | |||
Start | |||
systemctl | |||
* Client Side | * Client Side | ||
| Line 142: | Line 137: | ||
Also need testing on three way. IE You need two clients that support SELinux CLient NFS and change the label on one client, and make sure the other client sees the change. | Also need testing on three way. IE You need two clients that support SELinux CLient NFS and change the label on one client, and make sure the other client sees the change. | ||
* Application integration testing | |||
** Validate that libvirt/sVirt can store labeled VMs on NFS. | |||
** Validate that Secure Linux Applications can store content on NFS | |||
** Setup Users with NFS based homedirs and make sure tools like apache/sshd work without the use_nfs_home_dirs boolean turned on. | |||
-- | |||
== User Experience == | == User Experience == | ||
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | <!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
If you turn on Labeled NFS for homedirs or other content, the content will be labeled the same was as if it was on a EXT* file system. | |||
There is potential errors on mount between Systems at different versions of NFS. IE Attempting to mount a server which does not support | |||
Labelling, could cause an error, but the user/administrator should be able to handle this. | |||
== Dependencies == | == Dependencies == | ||
| Line 152: | Line 155: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
This will only work on the 3.11 kernel. If you boot with an older kernel NFS will fall back to the old behaviour. | |||
== Contingency Plan == | == Contingency Plan == | ||
| Line 170: | Line 173: | ||
* See [[Talk:Features/LabeledNFS]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | * See [[Talk:Features/LabeledNFS]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | ||
[[Category: | [[Category:ChangePageIncomplete]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Latest revision as of 18:08, 6 September 2013
Enable SELinux Labeled NFS Support
Summary
The Linux Kernel has grown support for passing SELinux labels between a client and server using NFS.
Owner
- Name: Daniel Walsh
- Name: Steve Dickson
- Email: <dwalsh@redhat.com>
- Email: <steved@redhat.com>
Current status
- Targeted release: [Fedora 20]
- Last updated: Jul 24 2013
- Tracker bug: #998566
- selinux-policy fixes are in Fedora 20.
- Labeled NFS Support is in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel
- nfs-utils support
- mount support
Detailed Description
We have always needed to treat NFS mounts with a single label usually something like nfs_t. Or at best allow an administrator to override the default with a label using the mount --context option. With this change we have lots of different Labels supported on an NFS share.
Benefit to Fedora
There are two huge benefits for Fedora, in that currently we can not differentiate different labels on a single NFS mount point. Applications like Secure Virtualization as launched by libvirt, can not set the label of an image file on an NFS share, so sVirt separation is severely weakened. Similarly if you setup home directories on an NFS share, then any confined application that needs to write a file in a home directory now can write any file on an NFS Share.
With labeled NFS this vulnerability goes away.
Scope
- Proposal owners:
- Steve Dickson needs to make sure nfs-utils works properly.
- Dan Walsh needs to make sure selinux-policy works properly in all use cases.
- Other developers: Kernel
Turn on Labeled NFS in the Fedora Kernel, Fix any policy issues that arise because of this. I believe this is mainly a testing issue, and that the functionality is comeplete.
- Release engineering: N/A (No changes for Release Engineering)
- Policies and guidelines: N/A (not affected)
Upgrade/compatibility impact
In the beginning this will be turned off by default so updating a system from an older Fedora should continue to run, with nfs mounts treated as nfs_t, by SELinux.
How To Test
Do to a bug in nfs-utils:
- Server Side
Add RPCNFSDARGS="-V4.2" to /etc/sysconfig/nfs Start nfs service
systemctl restart nfs
- Client Side
mount -o v4.2 server:mntpoint localmountpoint
There are many different scenarios that have to be tested with this new functionality.
Basically with Labeled NFS we need to test with client and servers supporting LNFS and SELinux
SELinux Testing
- SELinux Client LNFS - SELinux Server LNFS
- SELinux Client LNFS - SELinux Server No LNFS
- SELinux CLient LNFS - Server LNFS
- SELinux CLient LNFS - Server No LNFS
- Client LNFS - SELinux Server LNFS
- Client LNFS - SELInux Server No LNFS
- Client LNFS - Server LNFS
- Client LNFS - Server no LNFS
- Client no LNFS - SELinux Server LNFS
- Client no LNFS - SELInux Server No LNFS
- Client no LNFS - Server LNFS
- Client no LNFS - Server no LNFS
Also need testing on three way. IE You need two clients that support SELinux CLient NFS and change the label on one client, and make sure the other client sees the change.
- Application integration testing
- Validate that libvirt/sVirt can store labeled VMs on NFS.
- Validate that Secure Linux Applications can store content on NFS
- Setup Users with NFS based homedirs and make sure tools like apache/sshd work without the use_nfs_home_dirs boolean turned on.
--
User Experience
If you turn on Labeled NFS for homedirs or other content, the content will be labeled the same was as if it was on a EXT* file system. There is potential errors on mount between Systems at different versions of NFS. IE Attempting to mount a server which does not support Labelling, could cause an error, but the user/administrator should be able to handle this.
Dependencies
This will only work on the 3.11 kernel. If you boot with an older kernel NFS will fall back to the old behaviour.
Contingency Plan
We can continue using what we always did, all clients labeled the same