The goal of the demonstration is to show passing of security labels over NFSv4 in a configuration similar to what might be found in a typical enterprise environment. Modern enterprise environments provide a number of centralized services for authentication and authorization, directory services, and network storage of user data, which are provided by the server component of the demonstration. These common services are provided using the following packages:
- Authentication Services - Kerberos
- Directory Services / Authorization Services - OpenLDAP
- Centralized User Data Storage - NFSv4
The client component of the demonstration utilizes these services to provide users with login access. Automated installation scripts allow clients to be rapidly installed and configured, differing only by the client kerberos credentials. The demonstration user will be able to access each client, with their user data available on each system.
Mandatory access controls are enforced on both the client and server in Multi Layer Security mode using SELinux.
NFS, Network File System
The NFS service enables files to be accessible across a network domain. The NFS service will provide user data directories (e.g. home directories). It will allow users to access their files from anywhere within the demo enterprise network.
NFS is a commonly used to provide distributed file services within enterprise networks. Using it for the network's user directories provides for:
- Centralized file control
- User based access control
- Easier data protection
- Centralized access control
- User mobility between hosts within the enterprise (i.e. users access files from any machine)
NFS is standard on most Unix/Linux distributions. It is also supported by Microsoft Windows, OS X, and other operating systems.
Modifed Kernel for NFS
Support for labeled files was added to the NFS version 4 client and server. Label management interfaces are provided and the mounted file system functions as any other local, labeled file system.
Kerberos Authentication Service
Kerberos is an authentication system for distributed systems. Its use in the demo is to provide authentication services for access to the client hosts and the NFS and LDAP servers.
As Security is a key part of this NFS demo, Kerberos was chosen for its ability to provide an enterprise level authentication system. Kerberos has a number of qualities that lends itself to this:
- Integrates easily with NFS
- It is a mature service used in many enterprises
- Designed to be secure within open networks
- Support for Kerberos exists on almost all major platforms
- Unix/NetBSD/Linux Kerberos is integrated into many popular distributions (and some embedded Linux OS's.
- default authentication within the Windows family of clients/servers since Windows 2000 Professional/Server.
- default authentication product in Mac OS X.
- It is an open standard, IETF RFC 1510.
LDAP, Lightweight Directory Access Protocol
LDAP is a simple network accessible directory service. It is used in this demo is to provide the user information necessary for client machines to perform user logins and mount the NFS provided home directories. More specifically, the LDAP server provides to the client machines:
- user name, uid, gid
- home directory locations
- login shell
The combination of these three services provide an example of a secure network file system that would be acceptable for a contemporary enterprise.
For the demo, the servers will most likely all run on the same host and there will be 1+ client hosts using the servers' services.
Under the hood
Once the demo is setup, what happens when a user logs in?
If it the demo was setup properly, and the right username and password are used, the user should be able to login through GDM and have their home directory mounted with a normal and functional GNOME session initiated. Under the covers a complex series of steps involving Kerberos, RPC services, LDAP, automount and NFS that ensures authentication of the user as well as client and server systems and services. In a nutshell, here are the important steps that occur during a 'normal' user login:
- User account information is pulled from the LDAP server.
- Using the supplied username the server returns available account related information (UID, GID, shell, home dir, etc.)
- User authentication is provided through PAM, which is configured to use Kerberos
- Prior to acquiring the user Kerberos ticket, the client and server systems mutually authenticate to ensure the correct systems are being involved in the authentication steps.
- Assuming the correct password is supplied, the client system is able to authenticate the user and caches the users Kerberos credentials for later use.
- User home directories are mounted via NFSv4 by automount.
- Automount attempts to mount the users home directory and RPC GSSD provides the user's cached Kerberos credentials to the NFS server as only authenticated users are allowed to mount exported shares.
- UID/GID -> user name/group name mapping information (provided by the LDAP server) is used to associated user names with the UIDs and GIDs denoting ownership of the mounted files and directories. This information is used by the operating system to enforce discretionary access controls.
- The NFS client and server exchange security labels to allow SELinux to appropriately label files and enforce mandatory access controls.
More specific information describing how the services on the clients and servers interact, and mapping between different service namespaces can be found here:
- Automated Client and Server installation via Kickstart
- Manual Client and Server installation
- Customizing the Server SELinux Policy
Information helpful for troubleshooting issues is included in-line in the manual installation instructions and at the end of the automated installation.
Binary packages are compiled for Fedora Core 9 systems using the Intel x86 architecture. Source RPMS are available (but not tested) for use on other releases or architectures.
The most recent versions of the packages binary packages and kickstart files are:
- http://www.selinuxnow.org/sefos/packages/ks.client.en.cfg - Client Kickstart
- http://www.selinuxnow.org/sefos/packages/ks.server.en.cfg - Server Kickstart
- http://www.selinuxnow.org/sefos/packages/kernel-2.6.28rc3-5.i386.rpm - Linux Kernel with Labeled NFS patches
- http://www.selinuxnow.org/sefos/packages/nfs-utils-1.1.2-7.fc9.labeled.i386.rpm - NFS Utils with Labeled NFS patches
- http://www.selinuxnow.org/sefos/packages/sefos-server-policy-0.2-1.fc9.i386.rpm - SELinux policy for labeled NFS server
- http://www.selinuxnow.org/sefos/packages/sefos-client-policy-0.1-1.fc9.i386.rpm - SELinux policy for labeled NFS client
Source RPMs and older binary packages are available at the same location: http://www.selinuxnow.org/sefos/packages