Difference between revisions of "Labeled NFS/Demo/Manual/NFSv4"

From SELinux Wiki
Jump to: navigation, search
(NFS Server Packages)
(NFS Client Packages)
Line 153: Line 153:
 
== F9 NFS Client Packages ==
 
== F9 NFS Client Packages ==
 
Install the nfs-utils package supporting security labels, or download and build the
 
Install the nfs-utils package supporting security labels, or download and build the
package from the source RPM.  The location of the packages is available in the  
+
package from the source RPM.  The location of the packages is available on the main
[[Labeled_NFS/Demo/Kickstart|Kickstart Guide]].
+
[[Labeled_NFS/Demo|demo page]].
  
 
The NFS client is also a Kerberos client and is required to be configured as such.
 
The NFS client is also a Kerberos client and is required to be configured as such.

Revision as of 14:27, 11 December 2008

NFSv4 Server

NFS Server Packages

Install the nfs-utils package supporting security labels, or download and build the package from the source RPM. The location of the packages is available on the main demo page.

The NFS server is also a Kerberos client and is required to be configured appropriately.

Other useful packages:

  • system-config-nfs
  • nfswatch

Create Kerberos Principals

Run kadmin on the Kerberos Server and create the nfs principal for the server. Then, add the nfs principal's key to the local keytab file.

  • Replace nfsserver.example.com with the fully qualified name of the NFSv4 server machine.
  • The same machine may host the NFSv4 server and the Kerberos server. In that case, both the principle creation and the adding of the principle to the local key table are still required.
  • Note the special way in which the NFS principal is added. The encryption key type is specified.
    • If this is not done, NFS will fail in mysterious ways and it will be difficult to track down the problem.
    • This is apparently because the NFS kernel code only supports des-cbc-crc.
# kadmin
Authenticating as principal root/admin@server.example.com with password.
Password for root/admin@server.example.com
kadmin: addprinc -randkey nfs/nfsserver.example.com
kadmin: ktadd -e des-cbc-crc:normal nfs/nfsserver.example.com
kadmin: quit

Server Configuration

Create the necessary entries in /etc/exports.

  • create an NFSv4 mount point.
    • e.g. /mnt/export.
  • Next bind the real path to the NFSv4 mount point.
    • e.g. /mnt/export/home
    • fstab entry binding the real path to the mount point should be added to to /etc/fstab so that it is remounted after each boot.
mkdir -m 1777 /mnt/export
mkdir /mnt/export/home
echo "/home                   /mnt/export/home         none    bind 0 0" >> /etc/fstab
mount -a


/etc/exports

The exported directories need to be added to /etc/exports:

/mnt/export      192.168.201.0/24(sec=krb5:krb5i:krb5p,security_label,sync,rw,fsid=0,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)  

/mnt/export/home 192.168.201.0/24(sec=krb5:krb5i:krb5p,security_label,sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)

and if legacy NFSv3 mounts are desired add:

# Legacy mounts
/home        192.168.201.0/24(sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)

Note On 64 bit machines, the anonuid and anongid above should be set to '4294967294'.

Modify /etc/idmapd.conf

You must change the domain to your current domain. Also, The user mapping for nobody should be checked and updated to nfsnobody if necessary.

  • In general, the Domain value here should match Kerberos's krb5.conf file default_domain value.
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[Mapping]

Nobody-User = nfsnobody
Nobody-Group = nfsnobody

[Translation]
Method = nsswitch

Modify /etc/sysconfig/nfs

To enable secure NFS, the following line must be added to /etc/sysconfig/nfs:

SECURE_NFS=yes

The following are default ports. They may be reconfigured depending on local firewall setups.

# Port rquotad should listen on.
#RQUOTAD_PORT=875
...
# TCP port rpc.lockd should listen on.
#LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
#LOCKD_UDPPORT=32769
...
# Port rpc.mountd should listen on.
#MOUNTD_PORT=892
...
# Port rpc.statd should listen on.
#STATD_PORT=662

For large number of connections, the number of NFS Daemons below may need to be increased:

RPCNFSDCOUNT=8

Firewalls

If there is a firewall on the server, the following default port should be allowed through to enable NFSv4.

NFSv4 Ports:

  • 2049 TCP

To open this port through the firewall, add the following lines to /etc/sysconfig/iptables right before the INPUT REJECT rule:

# nfs server
-A INPUT -m tcp -p tcp --dport 2049 -j ACCEPT

Then restart iptables:

run_init service iptables restart

NFS Start at Boot

Make NFS start during boot:

# chkconfig nfs on

Note: The rpcsvcgssd service needs to start after network services on your host. If it does not start properly at boot time, try moving it to start after network initialization (e.g. NetworkManager) in the initial start order (i.e. within /etc/rc.d/).

SELinux Policy tweaks

Install the NFS Server SELinux policy binary RPM, or build and install from the available SRPM. The location of the packages is identified in the kickstart installation guide.

Start nfs

run_init service nfs start

NFSv4 Client

F9 NFS Client Packages

Install the nfs-utils package supporting security labels, or download and build the package from the source RPM. The location of the packages is available on the main demo page.

The NFS client is also a Kerberos client and is required to be configured as such.

Other Useful Packages:

  • nfswatch

Create Kerberos Principals

Run kadmin on the client and create an nfs principal for the client. Then, add the principal to the client's local key table.

  • Replace seclient.example.com with the fully qualified name of the client machine.
  • Note the special way in which the NFS principal is added. The encryption key type is specified.
    • If this is not done, NFS will fail in mysterious ways and it will be difficult to track down the problem.
    • This is apparently because the NFS kernel code only supports des-cbc-crc.
# kadmin
Authenticating as principal root/admin@server.example.com with password.
Password for root/admin@server.example.com
kadmin: addprinc -randkey nfs/seclient.example.com
kadmin: ktadd -e des-cbc-crc:normal nfs/seclient.example.com
kadmin: quit

NFS Client File Configuration

Modify /etc/idmapd.conf

You must change the domain to your current domain. Also, The user mapping for nobody should be checked and updated to nfsnobody if necessary.

  • In general, the Domain value here should match Kerberos's krb5.conf file default_domain value.
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[Mapping]

Nobody-User = nfsnobody
Nobody-Group = nfsnobody

[Translation]
Method = nsswitch

Modify /etc/sysconfig/nfs

To enable secure NFS, the following line must be included in /etc/sysconfig/nfs:

SECURE_NFS=yes

Modify /etc/fstab

Create a directory for the mount:

mkdir /mnt/nfs4

Add the directories to be mounted to fstab:

sefos:/      /mnt/nfs4       nfs4    users,sec=krb5   0 0

SELinux Policy tweaks

Install the NFS Server SELinux policy binary RPM, or build and install from the available SRPM. The location of the packages is identified in the kickstart installation guide.

Testing NFS

  • Assumes that the Kerberos server is running and the client is configured for Kerberos.

The following should not produce errors and should show the contents of /mnt/export on the NFS server:

[root@seclient /]# kinit -p root/admin
Password for root/admin@EXAMPLE.COM:
[root@seclient /]# mount /mnt/nfs4
[root@seclient /]# ls /mnt/nfs4

NFS References