Re: Labeled NFS [v5]

[David Quigley <dpquigl@xxxxxxxxxxxxxxx>]

On 11/14/2012 08:45, J. Bruce Fields wrote:
> On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
> > On 11/13/2012 7:55 AM, Steve Dickson wrote:
> > >
> > >
> > >On 12/11/12 20:39, Dave Quigley wrote:
> > >>If you're ok with non Fedora kernel images I can try to put up a 
> > tree either tonight or tomorrow with the patches that you just need to 
> > build and install. That plus the one patch for nfs-utils should make 
> > everything work.
> > >I'm good with that....
> > >
> > >steved.
> > >
> >
> > Ok so if you go to http://www.selinuxproject.org/git you will see a
> > repo for lnfs and lnfs-patchset. The instructions at
> > http://www.selinuxproject.org/page/Labeled_NFS give you a better
> > indication on how to pull the trees. I've attached a patch for NFS
> > utils which gives support for security_label/nosecurity_label in
> > your /etc/exports file.
>
> Do we need an export option?  Is there any reason not to make the
> feature available whenever there's support available for it?
>
> --b.
>
> > I've also attached a script called setup
> > which should build a test directory called /export with a copy of
> > /var/www under it which should be labeled properly. It does all the
> > proper SELinux commands to make sure labeling is correct. Once you
> > have that setup just mount -t nfs localhost:/ /mnt/lnfs (or wherever
> > you want) and you should be good to go. Just ls -Z in /mnt/lnfs/var
> > and check to make sure the labels are the same as /export/var. It
> > should have the labels showing up in the network transfer. If you
> > have any problems just let me know and I can try to help figure them
> > out.
> >
> > Dave
>
> > >From da84919c6957090cd961bb4ce40753820312a845 Mon Sep 17 00:00:00 
> > 2001
> > From: Dave Quigley <dpquigl@xxxxxxxxxxxxxxxxxxxxxxxx>
> > Date: Fri, 18 Sep 2009 08:53:58 -0700
> > Subject: [PATCH] Add support to specify which exports will provide 
> > Labeled NFS support.
> >
> > diff --git a/support/include/nfs/export.h 
> > b/support/include/nfs/export.h
> > index 1547a87..b8e2fb0 100644
> > --- a/support/include/nfs/export.h
> > +++ b/support/include/nfs/export.h
> > @@ -17,7 +17,8 @@
> >  #define NFSEXP_ALLSQUASH	0x0008
> >  #define NFSEXP_ASYNC		0x0010
> >  #define NFSEXP_GATHERED_WRITES	0x0020
> > -/* 40, 80, 100 unused */
> > +#define NFSEXP_SECURITY_LABEL	0x0040	/* Support MAC attribute */
> > +/* 80, 100 unused */
> >  #define NFSEXP_NOHIDE		0x0200
> >  #define NFSEXP_NOSUBTREECHECK	0x0400
> >  #define NFSEXP_NOAUTHNLM	0x0800
> > diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> > index a93941c..8965c8d 100644
> > --- a/support/nfs/exports.c
> > +++ b/support/nfs/exports.c
> > @@ -239,6 +239,8 @@ putexportent(struct exportent *ep)
> >  	fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : "");
> >  	fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)?
> >  				"" : "no_");
> > +	fprintf(fp, "%ssecurity_label,", (ep->e_flags & 
> > NFSEXP_SECURITY_LABEL)?
> > +				"" : "no");
> >  	fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_NOHIDE)?
> >  				"no" : "");
> >  	fprintf(fp, "%scrossmnt,", (ep->e_flags & NFSEXP_CROSSMOUNT)?
> > @@ -531,6 +533,10 @@ parseopts(char *cp, struct exportent *ep, int 
> > warn, int *had_subtree_opt_ptr)
> >  			setflags(NFSEXP_GATHERED_WRITES, active, ep);
> >  		else if (!strcmp(opt, "no_wdelay"))
> >  			clearflags(NFSEXP_GATHERED_WRITES, active, ep);
> > +		else if (strcmp(opt, "security_label") == 0)
> > +			ep->e_flags |= NFSEXP_SECURITY_LABEL;
> > +		else if (strcmp(opt, "nosecurity_label") == 0)
> > +			ep->e_flags &= ~NFSEXP_SECURITY_LABEL;
> >  		else if (strcmp(opt, "root_squash") == 0)
> >  			setflags(NFSEXP_ROOTSQUASH, active, ep);
> >  		else if (!strcmp(opt, "no_root_squash"))
> > diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
> > index b78957f..6434825 100644
> > --- a/utils/exportfs/exportfs.c
> > +++ b/utils/exportfs/exportfs.c
> > @@ -531,6 +531,8 @@ dump(int verbose)
> >  				c = dumpopt(c, "async");
> >  			if (ep->e_flags & NFSEXP_GATHERED_WRITES)
> >  				c = dumpopt(c, "wdelay");
> > +			if (ep->e_flags & NFSEXP_SECURITY_LABEL)
> > +				c = dumpopt(c, "security_label");
> >  			if (ep->e_flags & NFSEXP_NOHIDE)
> >  				c = dumpopt(c, "nohide");
> >  			if (ep->e_flags & NFSEXP_CROSSMOUNT)
>
> > #!/bin/bash
> > mkdir /export
> > semanage fcontext -a -t mnt_t /export
> > mkdir /export/var
> > cp -R /var/www /export/var
> > semanage fcontext -ae /var /export/var
> > restorecon -R /export
> >
> > echo "/export 
> > *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync, 
> > no_root_squash)" >> /etc/exports
> > systemctl restart nfs-server.service

I guess we could build it in but I figured an export option allowed 
someone to turn off security labeling support if they didn't want it on 
that export. What happens to clients when the server returns a cap that 
they don't support? Do they mask the bits out?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.