Difference between revisions of "Labeled NFS/Demo"

From SELinux Wiki
Jump to: navigation, search
m (Under the hood)
m (Introduction)
Line 1: Line 1:
= Introduction =
 
 
 
The goal of the demonstration is to show passing of security labels over NFSv4 in a configuration similar to what might be found in a typical enterprise environment. Modern enterprise environments provide a number of centralized services for authentication and authorization, directory services, and network storage of user data, which are provided by the server component of the demonstration. These common services are provided using the following packages:   
 
The goal of the demonstration is to show passing of security labels over NFSv4 in a configuration similar to what might be found in a typical enterprise environment. Modern enterprise environments provide a number of centralized services for authentication and authorization, directory services, and network storage of user data, which are provided by the server component of the demonstration. These common services are provided using the following packages:   
  

Revision as of 13:49, 12 December 2008

The goal of the demonstration is to show passing of security labels over NFSv4 in a configuration similar to what might be found in a typical enterprise environment. Modern enterprise environments provide a number of centralized services for authentication and authorization, directory services, and network storage of user data, which are provided by the server component of the demonstration. These common services are provided using the following packages:

  • Authentication Services - Kerberos
  • Directory Services / Authorization Services - OpenLDAP
  • Centralized User Data Storage - NFSv4

The client component of the demonstration utilizes these services to provide users with login access. Automated installation scripts allow clients to be rapidly installed and configured, differing only by the client kerberos credentials. The demonstration user will be able to access each client, with their user data available on each system.

Mandatory access controls are enforced on both the client and server in Multi Layer Security mode using SELinux.

Under the hood

Once the demo is setup, what happens when a user logs in?

If it the demo was setup properly, and the right username and password are used, the user should be able to login through GDM and have their home directory mounted with a normal and functional GNOME session initiated. Under the covers a complex series of steps involving Kerberos, RPC services, LDAP, automount and NFS that ensures authentication of the user as well as client and server systems and services. In a nutshell, here are the important steps that occur during a 'normal' user login:

  1. User account information is pulled from the LDAP server.
    1. Using the supplied username the server returns available account related information (UID, GID, shell, home dir, etc.)
  2. User authentication is provided through PAM, which is configured to use Kerberos
    1. Prior to acquiring the user Kerberos ticket, the client and server systems mutually authenticate to ensure the correct systems are being involved in the authentication steps.
    2. Assuming the correct password is supplied, the client system is able to authenticate the user and caches the users Kerberos credentials for later use.
  3. User home directories are mounted via NFSv4 by automount.
    1. Automount attempts to mount the users home directory and RPC GSSD provides the user's cached Kerberos credentials to the NFS server as only authenticated users are allowed to mount exported shares.
    2. UID/GID -> user name/group name mapping information (provided by the LDAP server) is used to associated user names with the UIDs and GIDs denoting ownership of the mounted files and directories. This information is used by the operating system to enforce discretionary access controls.
    3. The NFS client and server exchange security labels to allow SELinux to appropriately label files and enforce mandatory access controls.


More specific information describing how the services on the clients and servers interact, and mapping between different service namespaces can be found here:

Service Interaction and User Name Mapping

Instructions

Information helpful for troubleshooting issues is included in-line in the manual installation instructions and at the end of the automated installation.

Packages

Kickstart files, binary RPMs and source RPMS are available for download at:

http://www.selinuxnow.org/sefos/packages

More information on the specific packages required is included in the automated install guide.

Binary packages are compiled for Fedora Core 9 systems using the Intel x86 architecture. Source RPMS are available (but not tested) for use on other releases or architectures.