Difference between revisions of "Labeled NFS"
DaveQuigley (Talk | contribs) (→Labeled-NFS Kernel) |
DaveQuigley (Talk | contribs) (→Labeled-NFS Kernel) |
||
Line 61: | Line 61: | ||
git-checkout origin/lnfs -b lnfs | git-checkout origin/lnfs -b lnfs | ||
− | Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below. | + | Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below. Copy this file into your source tree and rename it to .config. |
make menuconfig | make menuconfig | ||
Line 82: | Line 82: | ||
[*] Provide NFSv4 server support | [*] Provide NFSv4 server support | ||
[*] Provide Security Label support for NFSv4 server | [*] Provide Security Label support for NFSv4 server | ||
+ | |||
+ | Finally build and install your tree with the commands below and either edit your boot loader to choose the new kernel as your default or select it from the menu on boot. | ||
+ | |||
+ | make | ||
+ | make modules_install install | ||
=== NFS Utils === | === NFS Utils === |
Revision as of 20:37, 26 November 2008
Contents
Introduction
Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within NFSv4
Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort.
At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.
Project News
None as of yet.
Getting the code
The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. The three trees that pertain to the Labeled-NFS work are:
- users/dpquigl/lnfs.git
- users/dpquigl/nfs-utils.git
- users/dpquigl/libnfsdoimap.git
To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for <tree>.
git-clone git://git.selinuxproject.org/~dpquigl/<tree>
Building & Installing the Code
This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.
Installing Development Packages
The nfs-utils git tree requires the development version of several packages to be installed.
yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \ libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel
Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed.
yum install git
Labeled-NFS Kernel
This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.
The first step is the clone the Labeled-NFS kernel repository.
git clone git://git.selinuxproject.org/~dpquigl/lnfs
This should give you the kernel tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.
git-branch * lnfs
If instead you see * master then you can issue the following command to checkout and track the lnfs branch.
git-checkout origin/lnfs -b lnfs
Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below. Copy this file into your source tree and rename it to .config.
make menuconfig
General setup ---> [*] Auditing support Security options ---> [*] Enable different security models [*] Socket and Networking Security Hooks [*] NSA SELinux Support File systems ---> <*> Ext3 journalling file system support [*] Ext3 extended attributes [*] Ext3 Security Labels [*] Network File Systems ---> <*> NFS file system support [*] Provide NFSv4 client support [*] Provide Security Label support for NFSv4 client <*> NFS server support [*] Provide NFSv4 server support [*] Provide Security Label support for NFSv4 server
Finally build and install your tree with the commands below and either edit your boot loader to choose the new kernel as your default or select it from the menu on boot.
make make modules_install install
NFS Utils
Specification Documents
- SENFS Requirements Document: Original requirements document for an SELinux specific version of Labeled NFS by James Morris.
- MAC Labeling Requirements and Problem Statement Page: Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.
- draft-quigley-nfsv4-sec-label-requirements-00.txt: Internet Draft submitted to the IEFT on 1 May 2008.
- draft-quigley-nfsv4-sec-label-requirements-01.txt: Internet Draft submitted to the IEFT on 24 June 2008.
Mailing Lists
- Labeled NFS Mailing List: Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.
- IETF NFSv4 Working Group Mailing List: Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.
Presentations
- IETF-71 NFSv4WG Slides Presentation by Dave Quigley given to the NFSv4 Working Group.
- MAC resources Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).
News Articles
- GCN coverage Government Computer News on the project as Dave Q presents at IETF 71.
- "NSA Pushes ‘Labeled’ Access Control for NFS" Dark Reading coverage.