From Fedora Project Wiki
(Created page with "= SELinux Labeled NFS Support <!-- The name of your feature --> = == Summary == <!-- A sentence or two summarizing what this feature is and what it will do. This informatio...")
 
Line 20: Line 20:
selinux-policy fixes are in Fedora 20.  
selinux-policy fixes are in Fedora 20.  
NFS Support should be in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel
NFS Support should be in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel
nfs-utils support
mount support?


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->

Revision as of 14:31, 15 July 2013

SELinux Labeled NFS Support

Summary

The Linux Kernel has grown support for passing SELinux labels between a client and server using NFS.

Owner

  • Email: <dwalsh@redhat.com>

Current status

  • Targeted release: [Fedora 20]
  • Last updated: Jul 15 2013
  • Percentage of completion: 50%

selinux-policy fixes are in Fedora 20. NFS Support should be in 3.11.0-0.rc0.git7.1.fc20.x86_64 kernel nfs-utils support mount support?


Detailed Description

We have always needed to treat NFS mounts with a single label usually something like nfs_t. Or at best allow an administrator to override the default with a label using the mount --context option. With this change we have lots of different Labels supported on an NFS share.

Benefit to Fedora

There are two huge benefits for Fedora, in that currently we can not differentiate different labels on a single NFS mount point. Applications like Secure Virtualization as launched by libvirt, can not set the label of an image file on an NFS share, so sVirt separation is severely weakened. Similarly if you setup home directories on an NFS share, then any confined application that needs to write a file in a home directory now can write any file on an NFS Share.

With labeled NFS this vulnerability goes away.

Scope

Turn on Labeled NFS in the Fedora Kernel, Fix any policy issues that arise because of this. I believe this is mainly a testing issue, and that the functionality is comeplet.

How To Test

We can continue using what we always did, all clients labeled the same

Documentation

Release Notes

Comments and Discussion