Difference between revisions of "Labeled NFS/Demo/Manual/NFSv4"

From SELinux Wiki
Jump to: navigation, search
(NFS Server Packages)
(NFS Client Packages)
Line 158: Line 158:
 
== NFS Client Packages ==
 
== NFS Client Packages ==
  
The NFS client requires the installation of one package:
+
The NFS client requires the installation of one package, the SEFOS Client SELinux policy package.
 
+
<ul>
+
<li>http://www.selinuxnow.org/sefos/packages/sefos-client-policy-0.1-1.fc9.i386.rpm - SELinux policy for labeled NFS client
+
</ul>
+
  
 
Other Useful Packages:
 
Other Useful Packages:

Revision as of 15:50, 15 December 2008

NFSv4 Server

NFS Server Packages

The NFS server installation requires three custom packages, two of which replace/upgrade existing packages to include support for Labeled NFS. The third package includes SELinux policy necessary for the NFS server to access and manage exported files and directories. The latest versions of the packages are identified on the main Labeled NFS demo page.

  • Linux Kernel with Labeled NFS patches
  • NFS Utils with Labeled NFS patches
  • SEFOS Server SELinux policy

The NFS server is also a Kerberos client, so the packages identified in the Kerberos client configuration section are required.

Other useful packages:

  • system-config-nfs
  • nfswatch

Create Kerberos Principals

Run kadmin on the Kerberos Server and create the nfs principal for the server. Then, add the nfs principal's key to the local keytab file.

  • Replace nfsserver.example.com with the fully qualified name of the NFSv4 server machine.
  • The same machine may host the NFSv4 server and the Kerberos server. In that case, both the principle creation and the adding of the principle to the local key table are still required.
  • Note the special way in which the NFS principal is added. The encryption key type is specified.
    • If this is not done, NFS will fail in mysterious ways and it will be difficult to track down the problem.
    • This is apparently because the NFS kernel code only supports des-cbc-crc.
# kadmin
Authenticating as principal root/admin@server.example.com with password.
Password for root/admin@server.example.com
kadmin: addprinc -randkey nfs/nfsserver.example.com
kadmin: ktadd -e des-cbc-crc:normal nfs/nfsserver.example.com
kadmin: quit

Server Configuration

Create the necessary entries in /etc/exports.

  • create an NFSv4 mount point.
    • e.g. /mnt/export.
  • Next bind the real path to the NFSv4 mount point.
    • e.g. /mnt/export/home
    • fstab entry binding the real path to the mount point should be added to to /etc/fstab so that it is remounted after each boot.
mkdir -m 1777 /mnt/export
mkdir /mnt/export/home
echo "/home                   /mnt/export/home         none    bind 0 0" >> /etc/fstab
mount -a


/etc/exports

The exported directories need to be added to /etc/exports:

/mnt/export      192.168.201.0/24(sec=krb5:krb5i:krb5p,security_label,sync,rw,fsid=0,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)  

/mnt/export/home 192.168.201.0/24(sec=krb5:krb5i:krb5p,security_label,sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)

and if legacy NFSv3 mounts are desired add:

# Legacy mounts
/home        192.168.201.0/24(sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534,no_root_squash)

Note On 64 bit machines, the anonuid and anongid above should be set to '4294967294'.

Modify /etc/idmapd.conf

You must change the domain to your current domain. Also, The user mapping for nobody should be checked and updated to nfsnobody if necessary.

  • In general, the Domain value here should match Kerberos's krb5.conf file default_domain value.
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[Mapping]

Nobody-User = nfsnobody
Nobody-Group = nfsnobody

[Translation]
Method = nsswitch

Modify /etc/sysconfig/nfs

To enable secure NFS, the following line must be added to /etc/sysconfig/nfs:

SECURE_NFS=yes

The following are default ports. They may be reconfigured depending on local firewall setups.

# Port rquotad should listen on.
#RQUOTAD_PORT=875
...
# TCP port rpc.lockd should listen on.
#LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
#LOCKD_UDPPORT=32769
...
# Port rpc.mountd should listen on.
#MOUNTD_PORT=892
...
# Port rpc.statd should listen on.
#STATD_PORT=662

For large number of connections, the number of NFS Daemons below may need to be increased:

RPCNFSDCOUNT=8

Firewalls

If there is a firewall on the server, the following default port should be allowed through to enable NFSv4.

NFSv4 Ports:

  • 2049 TCP

To open this port through the firewall, add the following lines to /etc/sysconfig/iptables right before the INPUT REJECT rule:

# nfs server
-A INPUT -m tcp -p tcp --dport 2049 -j ACCEPT

Then restart iptables:

run_init service iptables restart

NFS Start at Boot

Make NFS start during boot:

# chkconfig nfs on

Note: The rpcsvcgssd service needs to start after network services on your host. If it does not start properly at boot time, try moving it to start after network initialization (e.g. NetworkManager) in the initial start order (i.e. within /etc/rc.d/).

SELinux Policy tweaks

Install the NFS Server SELinux policy binary RPM, or build and install from the available SRPM.

Start nfs

run_init service nfs start

NFSv4 Client

NFS Client Packages

The NFS client requires the installation of one package, the SEFOS Client SELinux policy package.

Other Useful Packages:

  • nfswatch

Create Kerberos Principals

Run kadmin on the client and create an nfs principal for the client. Then, add the principal to the client's local key table.

  • Replace seclient.example.com with the fully qualified name of the client machine.
  • Note the special way in which the NFS principal is added. The encryption key type is specified.
    • If this is not done, NFS will fail in mysterious ways and it will be difficult to track down the problem.
    • This is apparently because the NFS kernel code only supports des-cbc-crc.
# kadmin
Authenticating as principal root/admin@server.example.com with password.
Password for root/admin@server.example.com
kadmin: addprinc -randkey nfs/seclient.example.com
kadmin: ktadd -e des-cbc-crc:normal nfs/seclient.example.com
kadmin: quit

NFS Client File Configuration

Modify /etc/idmapd.conf

You must change the domain to your current domain. Also, The user mapping for nobody should be checked and updated to nfsnobody if necessary.

  • In general, the Domain value here should match Kerberos's krb5.conf file default_domain value.
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[Mapping]

Nobody-User = nfsnobody
Nobody-Group = nfsnobody

[Translation]
Method = nsswitch

Modify /etc/sysconfig/nfs

To enable secure NFS, the following line must be included in /etc/sysconfig/nfs:

SECURE_NFS=yes

Modify /etc/fstab

Create a directory for the mount:

mkdir /mnt/nfs4

Add the directories to be mounted to fstab:

sefos:/      /mnt/nfs4       nfs4    users,sec=krb5   0 0

SELinux Policy tweaks

The NFS client package contains a script that performs some post install configuration. The core action performed by the script is to set these three SELinux booleans:

  • allow_kerberos - required for client-side Kerberos to function properly
  • allow_gssd_read_tmp - required for RPC GSSD to read cached Kerberos credentials in /tmp (for passing credentials between NFS client and server)
  • use_nfs_home_dirs - allow home directories (/home) to be mounted via NFS

The script is automatically run during the first normal system boot so no manual action beyond installing the package should be required.

Testing NFS

  • Assumes that the Kerberos server is running and the client is configured for Kerberos.

The following should not produce errors and should show the contents of /mnt/export on the NFS server:

[root@seclient /]# kinit -p root/admin
Password for root/admin@EXAMPLE.COM:
[root@seclient /]# mount /mnt/nfs4
[root@seclient /]# ls /mnt/nfs4

NFS References