Labeled NFS

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 21:02, 26 November 2008 (edit)
DaveQuigley (Talk | contribs)

← Previous diff
Revision as of 01:24, 11 August 2009 (edit) (undo)
RobertStory (Talk | contribs)
(remove '.git' from repos that don't end in '.git')
Next diff →
Line 18: Line 18:
The three trees that pertain to the Labeled-NFS work are: The three trees that pertain to the Labeled-NFS work are:
-* users/dpquigl/lnfs.git+* users/dpquigl/lnfs
-* users/dpquigl/nfs-utils.git+* users/dpquigl/nfs-utils
* users/dpquigl/libnfsdoimap.git * users/dpquigl/libnfsdoimap.git
-To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for <tree>.+To clone these trees use the command below substituting any of {lnfs, libnfsdoimap.git, nfs-utils} for <tree>.
git-clone git://git.selinuxproject.org/~dpquigl/<tree> git-clone git://git.selinuxproject.org/~dpquigl/<tree>

Revision as of 01:24, 11 August 2009

Contents

Introduction

Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within NFSv4

Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort.

At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.

Project News

None as of yet.

Getting the code

The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. The three trees that pertain to the Labeled-NFS work are:

  • users/dpquigl/lnfs
  • users/dpquigl/nfs-utils
  • users/dpquigl/libnfsdoimap.git

To clone these trees use the command below substituting any of {lnfs, libnfsdoimap.git, nfs-utils} for <tree>.

git-clone git://git.selinuxproject.org/~dpquigl/<tree>

Building & Installing the Code

This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.

Installing Development Packages

The nfs-utils git tree requires the development version of several packages to be installed.

yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \
     libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel


Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed.

yum install git

Labeled-NFS Kernel

This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.

The first step is the clone the Labeled-NFS kernel repository.

git clone git://git.selinuxproject.org/~dpquigl/lnfs

This should give you the kernel tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.

git-branch
* lnfs

If instead you see * master then you can issue the following command to checkout and track the lnfs branch.

git-checkout origin/lnfs -b lnfs

Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below. Copy this file into your source tree and rename it to .config.

make menuconfig
General setup --->
        [*] Auditing support
Security options --->
        [*] Enable different security models
               [*] Socket and Networking Security Hooks
        [*] NSA SELinux Support
File systems --->
        <*> Ext3 journalling file system support
               [*] Ext3 extended attributes
                       [*] Ext3 Security Labels
        [*] Network File Systems --->
               <*> NFS file system support
                       [*] Provide NFSv4 client support
                               [*] Provide Security Label support for NFSv4 client
               <*> NFS server support
                       [*] Provide NFSv4 server support
                               [*] Provide Security Label support for NFSv4 server

Finally build and install your tree with the commands below and either edit your boot loader to choose the new kernel as your default or select it from the menu on boot.

make
make modules_install install

NFS Utils

This section explains how to build and install the modified NFS Utils package needed to export security labels. This is only needed on the server where exportfs does sanity checking on export arguments. If you are deploying this on several systems and have clients that don't intend to export any volumes you don't need to install this package on those clients. However you will still need it on the server.

The first step is the clone the Labeled-NFS nfs-utils repository.

git clone git://git.selinuxproject.org/~dpquigl/nfs-utils

This should give you the source tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.

git-branch
* lnfs

If instead you see * master then you can issue the following command to checkout and track the lnfs branch.

git-checkout origin/lnfs -b lnfs

After this you can build the source tree with the commands below. The final command needs to be executed as root. If you run into any problems when executing the configuration command go back and make sure you have all the necessary development packages installed.

sh autogen.sh
./configure
make
make install

Client & Server Setup

Server

The first thing to check is that the rpc filesystem is installed and mounted. If you use the default Fedora kernel config this will be the case. The issue here is that the init scripts for the NFS daemons tried to install the sunrpc module and if it can't then it doesn't even bother to try mounting the file system. When this is built into the kernel the modprobe will fail and the file system wont be mounted even though it can be. To check this issue the command below.

# mount | grep rpc_pipefs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

If you did not see the output above add this line to your /etc/fstab file and then run mount -a.

rpc_pipefs      /var/lib/nfs/rpc_pipefs rpc_pipefs      defaults        0 0

After this we need to tell NFSD what to export make a directory called /export and then add the line below to your /etc/exports file. Note this is just an example the most important thing to have here is the security_label option which tells the server that it should export security_labels for this export.

/export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync)

The next step is to start the service, configure the nfs service to start on several runlevels, and verify the export.

# service nfs start
# chkconfig --level 345 nfs on
# showmount -e

Finally attempt to locally mount the file system and verify that it is using file labels.

# mkdir /mnt/nfsv4
# mount -t nfs4 localhost:/ /mnt/nfsv4
# grep security_label /proc/mounts

Client

For the client setup is much simpler. First enable rpcidmapd with the command below.

# /etc/init.d/rpcidmapd start
# chkconfig --level 345 rpcidmapd on

Then mount the export.

# mkdir /mnt/nfsv4
# mount -t nfs4 server:/ /mnt/nfsv4

If the mount fails check to make sure all the necessary services are running on both ends and that your firewall isn't blocking NFSv4 traffic.

Specification Documents

Mailing Lists

  • IETF NFSv4 Working Group Mailing List: Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.

Presentations

  • MAC resources Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).

News Articles

  • GCN coverage Government Computer News on the project as Dave Q presents at IETF 71.


Personal tools