?
On Mon, Feb 26, 2024 at 8:30 AM Martin Wege <martin.l.wege@xxxxxxxxx> wrote:
>
> On Sun, Feb 18, 2024 at 3:35 PM Jeff Layton <jlayton@xxxxxxxxxx> wrote:
> >
> > On Sun, 2024-02-18 at 16:16 +0200, Guy Keren wrote:
> > > On Sun, Feb 18, 2024 at 3:55 PM Jeff Layton <jlayton@xxxxxxxxxx> wrote:
> > > >
> > > > On Sat, 2024-02-17 at 14:37 +0100, Martin Wege wrote:
> > > > > On Wed, Feb 14, 2024 at 12:28 PM Jeff Layton <jlayton@xxxxxxxxxx> wrote:
> > > > > >
> > > > > > On Wed, 2024-02-14 at 10:46 +0100, Martin Wege wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > Does the Linux implementation server&client for NFSv4.1 support SELinux?
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > Labeled NFS is a NFSv4.2 feature. The Linux client and server do support
> > > > >
> > > > > Is there documentation on how to set this up? Will this work if the
> > > > > root fs ('/') is NFSv4.2?
> > > > >
> > > >
> > > > There isn't much to set up. If you mount using NFSv4.2, the client and
> > > > server should negotiate using SELinux (assuming both are SELinux
> > > > enabled) and the SELinux contexts should (mostly) be projected across
> > > > the wire.
> > >
> > > Jeff - as far as i know, while it is possible for the client to
> > > get/set the secure labels of files on the server - there is no way for
> > > the client to tell the server which user is performing the specific
> > > access operation - so the 'FULL MODE' of nfs4.2 security labels cannot
> > > work - only the 'Limited Server Mode' mode (i.e. only the client
> > > verifies the security labels - the server does not). please correct me
> > > if i'm wrong.
> > >
> > >
> >
> > (re-cc'ing the mailing list...)
> >
> > That is correct. I'm not aware of anyone having implented "Full mode" as
> > of yet anywhere.
> >
> > The Linux server is a "dumb" labeled NFS server that just projects the
> > contexts to the clients and doesn't try to do any enforcement.
>
> Is this documented somehere? "NFSv4.2 SELinux HOWTO" maybe?
>
> Thanks,
> Martin
