http://selinuxproject.org/w/api.php?action=feedcontributions&user=DaveQuigley&feedformat=atom SELinux Wiki - User contributions [en] 2024-03-29T00:31:34Z User contributions MediaWiki 1.23.13 http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2010-10-05T13:02:16Z <p>DaveQuigley: /* Installing Development Packages */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort to provide the mechanisms required to use Mandatory Access Control systems with [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]. If you are interested in participating in the project take a look at the [http://www.selinuxproject.org/page/Labeled_NFS/TODO TODO list].<br /> <br /> == Getting the code ==<br /> <br /> The Labeled NFS prototype is published as a series of public git trees that <br /> can be found at http://git.selinuxproject.org/git/. <br /> <br /> The Labeled NFS project has recently reorganized the way that patches and <br /> source trees are made available. In the past there was one git tree per <br /> component and if you wanted to get the patch set for a component you would <br /> clone the tree and extract the patches using git-format-patch on the branch <br /> containing the patches. This model made development against the tree difficult <br /> as it would be destroyed every time it was rebased against upstream losing <br /> the history of prior patch versions.<br /> <br /> The new method of releasing the Labeled NFS code consists of two<br /> git trees. If you look at http://selinuxproject.org/git there is a tree<br /> named lnfs-patchset and another named lnfs. The first tree contains a<br /> guilt patch series with the Labeled NFS code. As of the moment there is<br /> just the version of the patches for 2.6.31 in the tree. As time goes by<br /> there will be new commits for the patches which are for newer kernel<br /> versions. It is unclear if only release versions will be tracked or if<br /> RC tags will be tracked as well. If RC tags are tracked tags rc1 and maybe <br /> even rc2 will probably be skipped seeing as rc1 is the close of the merge <br /> window and there is no guarantee that the tree is not completely broken.<br /> <br /> The second tree mentioned above is the full kernel tree with the Labeled NFS <br /> patches applied. While the lnfs-patchset repository uses tags to mark <br /> particular kernel versions this isn't possible with the kernel git tree <br /> so we use branches instead. In the lnfs tree you will find a branch for <br /> each tag in the lnfs-patchset repository. So currently there is a <br /> v2.6.31-lnfs branch on the lnfs git tree. If you wish to do development <br /> against the LNFS tree or test the code you should check out the latest <br /> version of the tree. The main branch for the repository will always be <br /> the latest one so a git clone should pull it automatically.<br /> <br /> The git trees and which component they contain are listed below<br /> <br /> '''Kernel'''<br /> * users/dpquigl/lnfs<br /> * users/dpquigl/lnfs-patchset<br /> <br /> '''NFS Utils'''<br /> * users/dpquigl/nfs-utils<br /> * users/dpquigl/nfs-utils-patchset<br /> <br /> '''DOI Mapping Framework Library'''<br /> * users/dpquigl/libnfsdoimap.git (does not have a corresponding patch tree since it is an original work)<br /> <br /> To clone these trees use the command below substituting any of {lnfs, lnfs-patchset, nfs-utils, nfs-utils-patchset, libnfsdoimap.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation describes how to build the Labeled NFS kernel and a modified NFS utilities package. <br /> The development team uses Fedora as the primary development platform so the instructions below <br /> reference Fedora specific utilities and names. If you are running a distro other than Fedora <br /> substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel \<br /> libtirpc-devel libblkid-devel<br /> <br /> <br /> Since the Labeled NFS code is published via git and a patch management <br /> system named guild the next step is to install these utilities.<br /> <br /> yum install git guilt<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled NFS Linux kernel <br /> repository and build and install the kernel. If you already know <br /> how to build a Linux kernel then you can skip to the section which <br /> lists the appropriate kernel config options for the Labeled NFS functionality.<br /> <br /> First clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the latest version branch checked out. You can <br /> double check this by issuing the command listed below which should give you a branch based <br /> on the latest kernel version.<br /> <br /> git-branch<br /> * v2.6.31-lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/v2.6.31-lnfs -b v2.6.31-lnfs<br /> <br /> Once that is done setup the kernel config for the build. A config file with the necessary options can be found <br /> at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel <br /> config use the kernel config menu to set the options below. Otherwise copy the config file into your source <br /> tree and rename it to .config.<br /> <br /> make menuconfig<br /> <br /> General setup ---&gt;<br /> [*] Auditing support<br /> Security options ---&gt;<br /> [*] Enable different security models<br /> [*] Socket and Networking Security Hooks<br /> [*] NSA SELinux Support<br /> File systems ---&gt;<br /> &lt;*&gt; Ext3 journalling file system support<br /> [*] Ext3 extended attributes<br /> [*] Ext3 Security Labels<br /> [*] Network File Systems ---&gt;<br /> &lt;*&gt; NFS file system support<br /> [*] Provide NFSv4 client support<br /> [*] Provide Security Label support for NFSv4 client<br /> &lt;*&gt; NFS server support<br /> [*] Provide NFSv4 server support<br /> [*] Provide Security Label support for NFSv4 server<br /> <br /> Finally build and install the tree with the commands below and either edit the boot loader to choose <br /> the new kernel as the default or select it from the menu on boot.<br /> <br /> make<br /> make modules_install install<br /> <br /> === NFS Utils ===<br /> <br /> This section explains how to build and install the modified NFS Utils package needed to export security labels. <br /> This is only needed on the server which is where exportfs does sanity checking on export arguments. If you <br /> are deploying this on several systems and have clients that don't intend to export any volumes you don't need <br /> to install this package on those clients. However you will still need it on the server.<br /> <br /> The First clone the Labeled-NFS nfs-utils repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/nfs-utils<br /> <br /> This should give you the source tree with the latest version branch checked out. You can double check this <br /> by issuing the command listed below which should give you a branch named the latest version.<br /> <br /> git-branch<br /> * &lt;latest-version&gt;<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the branch you want. <br /> <br /> git-checkout origin/&lt;desired branch&gt; -b &lt;desired branch&gt;<br /> <br /> After this build the source tree my issuing the commands below. The final command needs to be executed as root. <br /> If you run into any problems when executing the configuration command go back and make sure you have all the necessary development packages installed.<br /> <br /> sh autogen.sh<br /> ./configure<br /> make<br /> make install<br /> <br /> == Client &amp; Server Setup ==<br /> <br /> === Server ===<br /> <br /> The first thing to do is to make sure that the rpc filesystem is installed and mounted. <br /> If you use the default Fedora kernel config this will be the case. There is an issue in that <br /> the init scripts for the NFS daemons try to install the sunrpc module and if it can't then it <br /> doesn't bother to try mounting the file system. When the NFS modules are built into the kernel <br /> modprobe will fail and the file system wont be mounted even though it can be. To check if this <br /> is an issue, execute the command below.<br /> <br /> # mount | grep rpc_pipefs<br /> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)<br /> <br /> If the output above is missing add the line below to your /etc/fstab file and then run mount -a.<br /> rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0<br /> <br /> After this we need to tell NFSD what to export. Make a directory named /export and then add the <br /> line below to your /etc/exports file. Note this is just an example. It is important to make sure <br /> that the security_label option is present and that fsid=0. This tells the server that it should <br /> export security_labels on this export and that it is also the root of the pseudo file system.<br /> for this export.<br /> <br /> /export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync)<br /> <br /> Next start the NFS service, configure the NFS service to start on several runlevels, and verify the export.<br /> <br /> # service nfs start<br /> # chkconfig --level 345 nfs on<br /> # showmount -e<br /> <br /> Finally attempt to locally mount the file system and verify that it is using file labels.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 localhost:/ /mnt/nfsv4<br /> # grep seclabel /proc/mounts<br /> <br /> === Client ===<br /> <br /> The client setup is much simpler. First enable rpcidmapd with the command below.<br /> <br /> # /etc/init.d/rpcidmapd start<br /> # chkconfig --level 345 rpcidmapd on<br /> <br /> Then mount the export.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 server:/ /mnt/nfsv4<br /> <br /> If the mount fails check to make sure all the necessary services are running on both ends and that your firewall isn't blocking NFSv4 traffic.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2009-12-09T22:34:54Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort to provide the mechanisms required to use Mandatory Access Control systems with [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]. If you are interested in participating in the project take a look at the [http://www.selinuxproject.org/page/Labeled_NFS/TODO TODO list].<br /> <br /> == Getting the code ==<br /> <br /> The Labeled NFS prototype is published as a series of public git trees that <br /> can be found at http://git.selinuxproject.org/git/. <br /> <br /> The Labeled NFS project has recently reorganized the way that patches and <br /> source trees are made available. In the past there was one git tree per <br /> component and if you wanted to get the patch set for a component you would <br /> clone the tree and extract the patches using git-format-patch on the branch <br /> containing the patches. This model made development against the tree difficult <br /> as it would be destroyed every time it was rebased against upstream losing <br /> the history of prior patch versions.<br /> <br /> The new method of releasing the Labeled NFS code consists of two<br /> git trees. If you look at http://selinuxproject.org/git there is a tree<br /> named lnfs-patchset and another named lnfs. The first tree contains a<br /> guilt patch series with the Labeled NFS code. As of the moment there is<br /> just the version of the patches for 2.6.31 in the tree. As time goes by<br /> there will be new commits for the patches which are for newer kernel<br /> versions. It is unclear if only release versions will be tracked or if<br /> RC tags will be tracked as well. If RC tags are tracked tags rc1 and maybe <br /> even rc2 will probably be skipped seeing as rc1 is the close of the merge <br /> window and there is no guarantee that the tree is not completely broken.<br /> <br /> The second tree mentioned above is the full kernel tree with the Labeled NFS <br /> patches applied. While the lnfs-patchset repository uses tags to mark <br /> particular kernel versions this isn't possible with the kernel git tree <br /> so we use branches instead. In the lnfs tree you will find a branch for <br /> each tag in the lnfs-patchset repository. So currently there is a <br /> v2.6.31-lnfs branch on the lnfs git tree. If you wish to do development <br /> against the LNFS tree or test the code you should check out the latest <br /> version of the tree. The main branch for the repository will always be <br /> the latest one so a git clone should pull it automatically.<br /> <br /> The git trees and which component they contain are listed below<br /> <br /> '''Kernel'''<br /> * users/dpquigl/lnfs<br /> * users/dpquigl/lnfs-patchset<br /> <br /> '''NFS Utils'''<br /> * users/dpquigl/nfs-utils<br /> * users/dpquigl/nfs-utils-patchset<br /> <br /> '''DOI Mapping Framework Library'''<br /> * users/dpquigl/libnfsdoimap.git (does not have a corresponding patch tree since it is an original work)<br /> <br /> To clone these trees use the command below substituting any of {lnfs, lnfs-patchset, nfs-utils, nfs-utils-patchset, libnfsdoimap.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation describes how to build the Labeled NFS kernel and a modified NFS utilities package. <br /> The development team uses Fedora as the primary development platform so the instructions below <br /> reference Fedora specific utilities and names. If you are running a distro other than Fedora <br /> substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since the Labeled NFS code is published via git and a patch management <br /> system named guild the next step is to install these utilities.<br /> <br /> yum install git guilt<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled NFS Linux kernel <br /> repository and build and install the kernel. If you already know <br /> how to build a Linux kernel then you can skip to the section which <br /> lists the appropriate kernel config options for the Labeled NFS functionality.<br /> <br /> First clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the latest version branch checked out. You can <br /> double check this by issuing the command listed below which should give you a branch based <br /> on the latest kernel version.<br /> <br /> git-branch<br /> * v2.6.31-lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/v2.6.31-lnfs -b v2.6.31-lnfs<br /> <br /> Once that is done setup the kernel config for the build. A config file with the necessary options can be found <br /> at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel <br /> config use the kernel config menu to set the options below. Otherwise copy the config file into your source <br /> tree and rename it to .config.<br /> <br /> make menuconfig<br /> <br /> General setup ---&gt;<br /> [*] Auditing support<br /> Security options ---&gt;<br /> [*] Enable different security models<br /> [*] Socket and Networking Security Hooks<br /> [*] NSA SELinux Support<br /> File systems ---&gt;<br /> &lt;*&gt; Ext3 journalling file system support<br /> [*] Ext3 extended attributes<br /> [*] Ext3 Security Labels<br /> [*] Network File Systems ---&gt;<br /> &lt;*&gt; NFS file system support<br /> [*] Provide NFSv4 client support<br /> [*] Provide Security Label support for NFSv4 client<br /> &lt;*&gt; NFS server support<br /> [*] Provide NFSv4 server support<br /> [*] Provide Security Label support for NFSv4 server<br /> <br /> Finally build and install the tree with the commands below and either edit the boot loader to choose <br /> the new kernel as the default or select it from the menu on boot.<br /> <br /> make<br /> make modules_install install<br /> <br /> === NFS Utils ===<br /> <br /> This section explains how to build and install the modified NFS Utils package needed to export security labels. <br /> This is only needed on the server which is where exportfs does sanity checking on export arguments. If you <br /> are deploying this on several systems and have clients that don't intend to export any volumes you don't need <br /> to install this package on those clients. However you will still need it on the server.<br /> <br /> The First clone the Labeled-NFS nfs-utils repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/nfs-utils<br /> <br /> This should give you the source tree with the latest version branch checked out. You can double check this <br /> by issuing the command listed below which should give you a branch named the latest version.<br /> <br /> git-branch<br /> * &lt;latest-version&gt;<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the branch you want. <br /> <br /> git-checkout origin/&lt;desired branch&gt; -b &lt;desired branch&gt;<br /> <br /> After this build the source tree my issuing the commands below. The final command needs to be executed as root. <br /> If you run into any problems when executing the configuration command go back and make sure you have all the necessary development packages installed.<br /> <br /> sh autogen.sh<br /> ./configure<br /> make<br /> make install<br /> <br /> == Client &amp; Server Setup ==<br /> <br /> === Server ===<br /> <br /> The first thing to do is to make sure that the rpc filesystem is installed and mounted. <br /> If you use the default Fedora kernel config this will be the case. There is an issue in that <br /> the init scripts for the NFS daemons try to install the sunrpc module and if it can't then it <br /> doesn't bother to try mounting the file system. When the NFS modules are built into the kernel <br /> modprobe will fail and the file system wont be mounted even though it can be. To check if this <br /> is an issue, execute the command below.<br /> <br /> # mount | grep rpc_pipefs<br /> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)<br /> <br /> If the output above is missing add the line below to your /etc/fstab file and then run mount -a.<br /> rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0<br /> <br /> After this we need to tell NFSD what to export. Make a directory named /export and then add the <br /> line below to your /etc/exports file. Note this is just an example. It is important to make sure <br /> that the security_label option is present and that fsid=0. This tells the server that it should <br /> export security_labels on this export and that it is also the root of the pseudo file system.<br /> for this export.<br /> <br /> /export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync)<br /> <br /> Next start the NFS service, configure the NFS service to start on several runlevels, and verify the export.<br /> <br /> # service nfs start<br /> # chkconfig --level 345 nfs on<br /> # showmount -e<br /> <br /> Finally attempt to locally mount the file system and verify that it is using file labels.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 localhost:/ /mnt/nfsv4<br /> # grep seclabel /proc/mounts<br /> <br /> === Client ===<br /> <br /> The client setup is much simpler. First enable rpcidmapd with the command below.<br /> <br /> # /etc/init.d/rpcidmapd start<br /> # chkconfig --level 345 rpcidmapd on<br /> <br /> Then mount the export.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 server:/ /mnt/nfsv4<br /> <br /> If the mount fails check to make sure all the necessary services are running on both ends and that your firewall isn't blocking NFSv4 traffic.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-10-20T21:31:12Z <p>DaveQuigley: </p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task. This list of work items shall not be considered as a request for proposal or otherwise construed as a commitment by NSA to anyone for the procurement of equipment, services, or any obligation. The NSA reserves the right to not pursue work in any area identified below or to discontinue, at any time, research in progress in any of these areas.<br /> <br /> = Task List =<br /> <br /> '''Linux Prototype Tasks:'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> * Add xattr export option to allow dumb server to specify storage location of attribute<br /> <br /> '''IETF Tasks:'''<br /> * Labeled NFS Scope Document<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks:'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module<br /> <br /> = Linux Prototype Tasks =<br /> <br /> == Label Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Review existing label translation framework patches<br /> * Determine changes in NFS/User-space communication mechanisms since patches were written<br /> * Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> <br /> == NFSD Subject Context Selection ==<br /> <br /> '''Description:'''<br /> Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.<br /> <br /> '''Subtasks:'''<br /> * Start a list of potential external criteria to base labeling on<br /> * Design mechanism to allow kernel daemons to request a subject label based on these criteria<br /> * Implement mechanism<br /> <br /> <br /> '''Status:'''<br /> There currently is no progress on this task nor has anyone taken it as an item to work on.<br /> <br /> == RPCSECGSSv3 Implementation ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == MLS CALIPSO Translation Module ==<br /> <br /> '''Description:'''<br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed<br /> <br /> == Xattr Export Option ==<br /> <br /> '''Description:'''<br /> The existing Linux implementation of Labeled NFS requires an LSM to be present since it uses that interface to set the security attributes on the file. One of the usage models for Labeled NFS is a dumb server mode where the server does not implement any sort of MAC functionality. In this case the interface to set the file labels wont work. A solution for this is to allow an administrator to provide an export option like xattr=(security.something) to store the security label in.<br /> <br /> '''Subtasks:'''<br /> * Add export option to NFSv4 to allow users to specify xattr=(xattr name)<br /> * Modify nfs-utils to allows xattr= as a new export option<br /> * Modify Labeled NFS server code to use vfs_setxattr or vfs_setxattr_noperm to set the xattr directly when the xattr export option is set<br /> * Modify Labeled NFS server code to parse the new xattr export option and store the data so it is accessible<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however it is a relatively low difficulty task. This task has not been claimed<br /> <br /> <br /> = IETF Tasks =<br /> <br /> == Labeled NFS Scope Document ==<br /> <br /> '''Description:'''<br /> As part of the IETF process several documents need to be authored. The most recent is a scope document for the NFSv4 working group which outlines the extend of the changes needed to support Labeled NFS and the external dependencies it has.<br /> '''Subtasks:'''<br /> * Integrate use cases from James and Jarrett<br /> * Write sections containing policy label format and initial formats<br /> * Write sections containing policy interoperability <br /> <br /> '''Status:'''<br /> <br /> Work has started on this document and some sections are already written. James Morris and Jarrett Lu have contributed text for the use case sections while David Quigley has started writing the other sections.<br /> <br /> == Policy Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the effort to address interoperability one avenue being explored is a method of separating the security label into two components. The outer components formerly referred to as a DOI will be replaced with a policy format specifier which will specify the syntactic format of the label enabling a separation of format and policy semantics.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not yet been started.<br /> <br /> == CALIPSO MLS Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the development of an interoperable demonstration platform a document outlining the label format for a CALIPSO label needs to be specified. This will be used as part of the example documents for outlining an interoperable Labeled NFS environment.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not been started however the existing CALIPSO document has a long section on how labels are represented. This might be able to be used for a large portion of the new document with permission of the original authors.<br /> <br /> = FreeBSD 8.0 Prototype Tasks =<br /> <br /> == Implement MAC Recommended Attribute ==<br /> <br /> '''Description:'''<br /> In order to provide object label transport a new recommended attribute has been proposed and accepted as the correct solution in NFSv4. This needs to be implemented in the FreeBSD 8.0 NFSv4 code. The specification for the attribute can be found in the IETF Internet Draft archives.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> No work has been done on this task however members of the FreeBSD community have expressed interest in assisting with this effort.<br /> <br /> == Implement RPCSECGSSv3 ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the FreeBSD 8.0 RPCSEC_GSS implementation for components needed by RPCSECGSSv3<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == Implement Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Evaluate kernel/userspace communication mechanisms for use in the framework<br /> * Attempt to port daemon and library implemented for the Linux translation framework<br /> * If porting is not possible implement labelmapd and label mapping library<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> == Implement CALIPSO MLS Translation Module ==<br /> <br /> '''Description:'''<br /> This task is identical to the one listed under the Linux Prototype section.<br /> <br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-10-20T21:30:26Z <p>DaveQuigley: </p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task. This list of work items shall not be considered as a request for proposal or otherwise construed as a commitment by NSA to anyone for the procurement of equipment, services, or any obligation. The NSA reserves the right to not pursue work in any area identified below or to discontinue, at any time, research in progress in any of these areas.<br /> <br /> = Task List =<br /> <br /> '''Linux Prototype Tasks:'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> * Add export option to allow dumb server to specify storage location of attribute<br /> <br /> '''IETF Tasks:'''<br /> * Labeled NFS Scope Document<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks:'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module<br /> <br /> = Linux Prototype Tasks =<br /> <br /> == Label Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Review existing label translation framework patches<br /> * Determine changes in NFS/User-space communication mechanisms since patches were written<br /> * Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> <br /> == NFSD Subject Context Selection ==<br /> <br /> '''Description:'''<br /> Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.<br /> <br /> '''Subtasks:'''<br /> * Start a list of potential external criteria to base labeling on<br /> * Design mechanism to allow kernel daemons to request a subject label based on these criteria<br /> * Implement mechanism<br /> <br /> <br /> '''Status:'''<br /> There currently is no progress on this task nor has anyone taken it as an item to work on.<br /> <br /> == RPCSECGSSv3 Implementation ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == MLS CALIPSO Translation Module ==<br /> <br /> '''Description:'''<br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed<br /> <br /> == Server export option for storage location ==<br /> <br /> '''Description:'''<br /> The existing Linux implementation of Labeled NFS requires an LSM to be present since it uses that interface to set the security attributes on the file. One of the usage models for Labeled NFS is a dumb server mode where the server does not implement any sort of MAC functionality. In this case the interface to set the file labels wont work. A solution for this is to allow an administrator to provide an export option like xattr=(security.something) to store the security label in.<br /> <br /> '''Subtasks:'''<br /> * Add export option to NFSv4 to allow users to specify xattr=(xattr name)<br /> * Modify nfs-utils to allows xattr= as a new export option<br /> * Modify Labeled NFS server code to use vfs_setxattr or vfs_setxattr_noperm to set the xattr directly when the xattr export option is set<br /> * Modify Labeled NFS server code to parse the new xattr export option and store the data so it is accessible<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however it is a relatively low difficulty task. This task has not been claimed<br /> <br /> <br /> = IETF Tasks =<br /> <br /> == Labeled NFS Scope Document ==<br /> <br /> '''Description:'''<br /> As part of the IETF process several documents need to be authored. The most recent is a scope document for the NFSv4 working group which outlines the extend of the changes needed to support Labeled NFS and the external dependencies it has.<br /> '''Subtasks:'''<br /> * Integrate use cases from James and Jarrett<br /> * Write sections containing policy label format and initial formats<br /> * Write sections containing policy interoperability <br /> <br /> '''Status:'''<br /> <br /> Work has started on this document and some sections are already written. James Morris and Jarrett Lu have contributed text for the use case sections while David Quigley has started writing the other sections.<br /> <br /> == Policy Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the effort to address interoperability one avenue being explored is a method of separating the security label into two components. The outer components formerly referred to as a DOI will be replaced with a policy format specifier which will specify the syntactic format of the label enabling a separation of format and policy semantics.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not yet been started.<br /> <br /> == CALIPSO MLS Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the development of an interoperable demonstration platform a document outlining the label format for a CALIPSO label needs to be specified. This will be used as part of the example documents for outlining an interoperable Labeled NFS environment.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not been started however the existing CALIPSO document has a long section on how labels are represented. This might be able to be used for a large portion of the new document with permission of the original authors.<br /> <br /> = FreeBSD 8.0 Prototype Tasks =<br /> <br /> == Implement MAC Recommended Attribute ==<br /> <br /> '''Description:'''<br /> In order to provide object label transport a new recommended attribute has been proposed and accepted as the correct solution in NFSv4. This needs to be implemented in the FreeBSD 8.0 NFSv4 code. The specification for the attribute can be found in the IETF Internet Draft archives.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> No work has been done on this task however members of the FreeBSD community have expressed interest in assisting with this effort.<br /> <br /> == Implement RPCSECGSSv3 ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the FreeBSD 8.0 RPCSEC_GSS implementation for components needed by RPCSECGSSv3<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == Implement Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Evaluate kernel/userspace communication mechanisms for use in the framework<br /> * Attempt to port daemon and library implemented for the Linux translation framework<br /> * If porting is not possible implement labelmapd and label mapping library<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> == Implement CALIPSO MLS Translation Module ==<br /> <br /> '''Description:'''<br /> This task is identical to the one listed under the Linux Prototype section.<br /> <br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-10-01T16:24:15Z <p>DaveQuigley: /* Labeled NFS TODO List */</p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task. This list of work items shall not be considered as a request for proposal or otherwise construed as a commitment by NSA to anyone for the procurement of equipment, services, or any obligation. The NSA reserves the right to not pursue work in any area identified below or to discontinue, at any time, research in progress in any of these areas.<br /> <br /> = Task List =<br /> <br /> '''Linux Prototype Tasks:'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> <br /> '''IETF Tasks:'''<br /> * Labeled NFS Scope Document<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks:'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module<br /> <br /> = Linux Prototype Tasks =<br /> <br /> == Label Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Review existing label translation framework patches<br /> * Determine changes in NFS/User-space communication mechanisms since patches were written<br /> * Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> <br /> == NFSD Subject Context Selection ==<br /> <br /> '''Description:'''<br /> Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.<br /> <br /> '''Subtasks:'''<br /> * Start a list of potential external criteria to base labeling on<br /> * Design mechanism to allow kernel daemons to request a subject label based on these criteria<br /> * Implement mechanism<br /> <br /> <br /> '''Status:'''<br /> There currently is no progress on this task nor has anyone taken it as an item to work on.<br /> <br /> == RPCSECGSSv3 Implementation ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == MLS CALIPSO Translation Module ==<br /> <br /> '''Description:'''<br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed<br /> <br /> = IETF Tasks =<br /> <br /> == Labeled NFS Scope Document ==<br /> <br /> '''Description:'''<br /> As part of the IETF process several documents need to be authored. The most recent is a scope document for the NFSv4 working group which outlines the extend of the changes needed to support Labeled NFS and the external dependencies it has.<br /> '''Subtasks:'''<br /> * Integrate use cases from James and Jarrett<br /> * Write sections containing policy label format and initial formats<br /> * Write sections containing policy interoperability <br /> <br /> '''Status:'''<br /> <br /> Work has started on this document and some sections are already written. James Morris and Jarrett Lu have contributed text for the use case sections while David Quigley has started writing the other sections.<br /> <br /> == Policy Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the effort to address interoperability one avenue being explored is a method of separating the security label into two components. The outer components formerly referred to as a DOI will be replaced with a policy format specifier which will specify the syntactic format of the label enabling a separation of format and policy semantics.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not yet been started.<br /> <br /> == CALIPSO MLS Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the development of an interoperable demonstration platform a document outlining the label format for a CALIPSO label needs to be specified. This will be used as part of the example documents for outlining an interoperable Labeled NFS environment.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not been started however the existing CALIPSO document has a long section on how labels are represented. This might be able to be used for a large portion of the new document with permission of the original authors.<br /> <br /> = FreeBSD 8.0 Prototype Tasks =<br /> <br /> == Implement MAC Recommended Attribute ==<br /> <br /> '''Description:'''<br /> In order to provide object label transport a new recommended attribute has been proposed and accepted as the correct solution in NFSv4. This needs to be implemented in the FreeBSD 8.0 NFSv4 code. The specification for the attribute can be found in the IETF Internet Draft archives.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> No work has been done on this task however members of the FreeBSD community have expressed interest in assisting with this effort.<br /> <br /> == Implement RPCSECGSSv3 ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the FreeBSD 8.0 RPCSEC_GSS implementation for components needed by RPCSECGSSv3<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == Implement Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Evaluate kernel/userspace communication mechanisms for use in the framework<br /> * Attempt to port daemon and library implemented for the Linux translation framework<br /> * If porting is not possible implement labelmapd and label mapping library<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> == Implement CALIPSO MLS Translation Module ==<br /> <br /> '''Description:'''<br /> This task is identical to the one listed under the Linux Prototype section.<br /> <br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2009-09-30T18:46:32Z <p>DaveQuigley: Modified text to reflect new source tree layout</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort to provide the mechanisms required to use Mandatory Access Control systems with [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> == Getting the code ==<br /> <br /> The Labeled NFS prototype is published as a series of public git trees that <br /> can be found at http://git.selinuxproject.org/git/. <br /> <br /> The Labeled NFS project has recently reorganized the way that patches and <br /> source trees are made available. In the past there was one git tree per <br /> component and if you wanted to get the patch set for a component you would <br /> clone the tree and extract the patches using git-format-patch on the branch <br /> containing the patches. This model made development against the tree difficult <br /> as it would be destroyed every time it was rebased against upstream losing <br /> the history of prior patch versions.<br /> <br /> The new method of releasing the Labeled NFS code consists of two<br /> git trees. If you look at http://selinuxproject.org/git there is a tree<br /> named lnfs-patchset and another named lnfs. The first tree contains a<br /> guilt patch series with the Labeled NFS code. As of the moment there is<br /> just the version of the patches for 2.6.31 in the tree. As time goes by<br /> there will be new commits for the patches which are for newer kernel<br /> versions. It is unclear if only release versions will be tracked or if<br /> RC tags will be tracked as well. If RC tags are tracked tags rc1 and maybe <br /> even rc2 will probably be skipped seeing as rc1 is the close of the merge <br /> window and there is no guarantee that the tree is not completely broken.<br /> <br /> The second tree mentioned above is the full kernel tree with the Labeled NFS <br /> patches applied. While the lnfs-patchset repository uses tags to mark <br /> particular kernel versions this isn't possible with the kernel git tree <br /> so we use branches instead. In the lnfs tree you will find a branch for <br /> each tag in the lnfs-patchset repository. So currently there is a <br /> v2.6.31-lnfs branch on the lnfs git tree. If you wish to do development <br /> against the LNFS tree or test the code you should check out the latest <br /> version of the tree. The main branch for the repository will always be <br /> the latest one so a git clone should pull it automatically.<br /> <br /> The git trees and which component they contain are listed below<br /> <br /> '''Kernel'''<br /> * users/dpquigl/lnfs<br /> * users/dpquigl/lnfs-patchset<br /> <br /> '''NFS Utils'''<br /> * users/dpquigl/nfs-utils<br /> * users/dpquigl/nfs-utils-patchset<br /> <br /> '''DOI Mapping Framework Library'''<br /> * users/dpquigl/libnfsdoimap.git (does not have a corresponding patch tree since it is an original work)<br /> <br /> To clone these trees use the command below substituting any of {lnfs, lnfs-patchset, nfs-utils, nfs-utils-patchset, libnfsdoimap.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation describes how to build the Labeled NFS kernel and a modified NFS utilities package. <br /> The development team uses Fedora as the primary development platform so the instructions below <br /> reference Fedora specific utilities and names. If you are running a distro other than Fedora <br /> substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since the Labeled NFS code is published via git and a patch management <br /> system named guild the next step is to install these utilities.<br /> <br /> yum install git guilt<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled NFS Linux kernel <br /> repository and build and install the kernel. If you already know <br /> how to build a Linux kernel then you can skip to the section which <br /> lists the appropriate kernel config options for the Labeled NFS functionality.<br /> <br /> First clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the latest version branch checked out. You can <br /> double check this by issuing the command listed below which should give you a branch based <br /> on the latest kernel version.<br /> <br /> git-branch<br /> * v2.6.31-lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/v2.6.31-lnfs -b v2.6.31-lnfs<br /> <br /> Once that is done setup the kernel config for the build. A config file with the necessary options can be found <br /> at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel <br /> config use the kernel config menu to set the options below. Otherwise copy the config file into your source <br /> tree and rename it to .config.<br /> <br /> make menuconfig<br /> <br /> General setup ---&gt;<br /> [*] Auditing support<br /> Security options ---&gt;<br /> [*] Enable different security models<br /> [*] Socket and Networking Security Hooks<br /> [*] NSA SELinux Support<br /> File systems ---&gt;<br /> &lt;*&gt; Ext3 journalling file system support<br /> [*] Ext3 extended attributes<br /> [*] Ext3 Security Labels<br /> [*] Network File Systems ---&gt;<br /> &lt;*&gt; NFS file system support<br /> [*] Provide NFSv4 client support<br /> [*] Provide Security Label support for NFSv4 client<br /> &lt;*&gt; NFS server support<br /> [*] Provide NFSv4 server support<br /> [*] Provide Security Label support for NFSv4 server<br /> <br /> Finally build and install the tree with the commands below and either edit the boot loader to choose <br /> the new kernel as the default or select it from the menu on boot.<br /> <br /> make<br /> make modules_install install<br /> <br /> === NFS Utils ===<br /> <br /> This section explains how to build and install the modified NFS Utils package needed to export security labels. <br /> This is only needed on the server which is where exportfs does sanity checking on export arguments. If you <br /> are deploying this on several systems and have clients that don't intend to export any volumes you don't need <br /> to install this package on those clients. However you will still need it on the server.<br /> <br /> The First clone the Labeled-NFS nfs-utils repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/nfs-utils<br /> <br /> This should give you the source tree with the latest version branch checked out. You can double check this <br /> by issuing the command listed below which should give you a branch named the latest version.<br /> <br /> git-branch<br /> * &lt;latest-version&gt;<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the branch you want. <br /> <br /> git-checkout origin/&lt;desired branch&gt; -b &lt;desired branch&gt;<br /> <br /> After this build the source tree my issuing the commands below. The final command needs to be executed as root. <br /> If you run into any problems when executing the configuration command go back and make sure you have all the necessary development packages installed.<br /> <br /> sh autogen.sh<br /> ./configure<br /> make<br /> make install<br /> <br /> == Client &amp; Server Setup ==<br /> <br /> === Server ===<br /> <br /> The first thing to do is to make sure that the rpc filesystem is installed and mounted. <br /> If you use the default Fedora kernel config this will be the case. There is an issue in that <br /> the init scripts for the NFS daemons try to install the sunrpc module and if it can't then it <br /> doesn't bother to try mounting the file system. When the NFS modules are built into the kernel <br /> modprobe will fail and the file system wont be mounted even though it can be. To check if this <br /> is an issue, execute the command below.<br /> <br /> # mount | grep rpc_pipefs<br /> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)<br /> <br /> If the output above is missing add the line below to your /etc/fstab file and then run mount -a.<br /> rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0<br /> <br /> After this we need to tell NFSD what to export. Make a directory named /export and then add the <br /> line below to your /etc/exports file. Note this is just an example. It is important to make sure <br /> that the security_label option is present and that fsid=0. This tells the server that it should <br /> export security_labels on this export and that it is also the root of the pseudo file system.<br /> for this export.<br /> <br /> /export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync)<br /> <br /> Next start the NFS service, configure the NFS service to start on several runlevels, and verify the export.<br /> <br /> # service nfs start<br /> # chkconfig --level 345 nfs on<br /> # showmount -e<br /> <br /> Finally attempt to locally mount the file system and verify that it is using file labels.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 localhost:/ /mnt/nfsv4<br /> # grep seclabel /proc/mounts<br /> <br /> === Client ===<br /> <br /> The client setup is much simpler. First enable rpcidmapd with the command below.<br /> <br /> # /etc/init.d/rpcidmapd start<br /> # chkconfig --level 345 rpcidmapd on<br /> <br /> Then mount the export.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 server:/ /mnt/nfsv4<br /> <br /> If the mount fails check to make sure all the necessary services are running on both ends and that your firewall isn't blocking NFSv4 traffic.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-09-30T14:29:29Z <p>DaveQuigley: </p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task.<br /> <br /> = Task List =<br /> <br /> '''Linux Prototype Tasks:'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> <br /> '''IETF Tasks:'''<br /> * Labeled NFS Scope Document<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks:'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module<br /> <br /> = Linux Prototype Tasks =<br /> <br /> == Label Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Review existing label translation framework patches<br /> * Determine changes in NFS/User-space communication mechanisms since patches were written<br /> * Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> <br /> == NFSD Subject Context Selection ==<br /> <br /> '''Description:'''<br /> Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.<br /> <br /> '''Subtasks:'''<br /> * Start a list of potential external criteria to base labeling on<br /> * Design mechanism to allow kernel daemons to request a subject label based on these criteria<br /> * Implement mechanism<br /> <br /> <br /> '''Status:'''<br /> There currently is no progress on this task nor has anyone taken it as an item to work on.<br /> <br /> == RPCSECGSSv3 Implementation ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == MLS CALIPSO Translation Module ==<br /> <br /> '''Description:'''<br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed<br /> <br /> = IETF Tasks =<br /> <br /> == Labeled NFS Scope Document ==<br /> <br /> '''Description:'''<br /> As part of the IETF process several documents need to be authored. The most recent is a scope document for the NFSv4 working group which outlines the extend of the changes needed to support Labeled NFS and the external dependencies it has.<br /> '''Subtasks:'''<br /> * Integrate use cases from James and Jarrett<br /> * Write sections containing policy label format and initial formats<br /> * Write sections containing policy interoperability <br /> <br /> '''Status:'''<br /> <br /> Work has started on this document and some sections are already written. James Morris and Jarrett Lu have contributed text for the use case sections while David Quigley has started writing the other sections.<br /> <br /> == Policy Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the effort to address interoperability one avenue being explored is a method of separating the security label into two components. The outer components formerly referred to as a DOI will be replaced with a policy format specifier which will specify the syntactic format of the label enabling a separation of format and policy semantics.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not yet been started.<br /> <br /> == CALIPSO MLS Format Specification Document ==<br /> <br /> '''Description:'''<br /> As part of the development of an interoperable demonstration platform a document outlining the label format for a CALIPSO label needs to be specified. This will be used as part of the example documents for outlining an interoperable Labeled NFS environment.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not been started however the existing CALIPSO document has a long section on how labels are represented. This might be able to be used for a large portion of the new document with permission of the original authors.<br /> <br /> = FreeBSD 8.0 Prototype Tasks =<br /> <br /> == Implement MAC Recommended Attribute ==<br /> <br /> '''Description:'''<br /> In order to provide object label transport a new recommended attribute has been proposed and accepted as the correct solution in NFSv4. This needs to be implemented in the FreeBSD 8.0 NFSv4 code. The specification for the attribute can be found in the IETF Internet Draft archives.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> No work has been done on this task however members of the FreeBSD community have expressed interest in assisting with this effort.<br /> <br /> == Implement RPCSECGSSv3 ==<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the FreeBSD 8.0 RPCSEC_GSS implementation for components needed by RPCSECGSSv3<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> == Implement Translation Framework ==<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Evaluate kernel/userspace communication mechanisms for use in the framework<br /> * Attempt to port daemon and library implemented for the Linux translation framework<br /> * If porting is not possible implement labelmapd and label mapping library<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> == Implement CALIPSO MLS Translation Module ==<br /> <br /> '''Description:'''<br /> This task is identical to the one listed under the Linux Prototype section.<br /> <br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-09-30T14:27:53Z <p>DaveQuigley: </p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task.<br /> <br /> == Task List ==<br /> <br /> '''Linux Prototype Tasks:'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> <br /> '''IETF Tasks:'''<br /> * Labeled NFS Scope Document<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks:'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module<br /> <br /> == Linux Prototype Tasks ==<br /> <br /> === Label Translation Framework ===<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Review existing label translation framework patches<br /> * Determine changes in NFS/User-space communication mechanisms since patches were written<br /> * Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> <br /> === NFSD Subject Context Selection ===<br /> <br /> '''Description:'''<br /> Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.<br /> <br /> '''Subtasks:'''<br /> * Start a list of potential external criteria to base labeling on<br /> * Design mechanism to allow kernel daemons to request a subject label based on these criteria<br /> * Implement mechanism<br /> <br /> <br /> '''Status:'''<br /> There currently is no progress on this task nor has anyone taken it as an item to work on.<br /> <br /> === RPCSECGSSv3 Implementation ===<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> === MLS CALIPSO Translation Module ===<br /> <br /> '''Description:'''<br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed<br /> <br /> == IETF Tasks ==<br /> <br /> === Labeled NFS Scope Document ===<br /> <br /> '''Description:'''<br /> As part of the IETF process several documents need to be authored. The most recent is a scope document for the NFSv4 working group which outlines the extend of the changes needed to support Labeled NFS and the external dependencies it has.<br /> '''Subtasks:'''<br /> * Integrate use cases from James and Jarrett<br /> * Write sections containing policy label format and initial formats<br /> * Write sections containing policy interoperability <br /> <br /> '''Status:'''<br /> <br /> Work has started on this document and some sections are already written. James Morris and Jarrett Lu have contributed text for the use case sections while David Quigley has started writing the other sections.<br /> <br /> === Policy Format Specification Document ===<br /> <br /> '''Description:'''<br /> As part of the effort to address interoperability one avenue being explored is a method of separating the security label into two components. The outer components formerly referred to as a DOI will be replaced with a policy format specifier which will specify the syntactic format of the label enabling a separation of format and policy semantics.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not yet been started.<br /> <br /> === CALIPSO MLS Format Specification Document ===<br /> <br /> '''Description:'''<br /> As part of the development of an interoperable demonstration platform a document outlining the label format for a CALIPSO label needs to be specified. This will be used as part of the example documents for outlining an interoperable Labeled NFS environment.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> This document has not been started however the existing CALIPSO document has a long section on how labels are represented. This might be able to be used for a large portion of the new document with permission of the original authors.<br /> <br /> == FreeBSD 8.0 Prototype Tasks ==<br /> <br /> === Implement MAC Recommended Attribute ===<br /> <br /> '''Description:'''<br /> In order to provide object label transport a new recommended attribute has been proposed and accepted as the correct solution in NFSv4. This needs to be implemented in the FreeBSD 8.0 NFSv4 code. The specification for the attribute can be found in the IETF Internet Draft archives.<br /> <br /> '''Subtasks:'''<br /> * None as of yet<br /> <br /> '''Status:'''<br /> No work has been done on this task however members of the FreeBSD community have expressed interest in assisting with this effort.<br /> <br /> === Implement RPCSECGSSv3 ===<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the FreeBSD 8.0 RPCSEC_GSS implementation for components needed by RPCSECGSSv3<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> === Implement Translation Framework ===<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Evaluate kernel/userspace communication mechanisms for use in the framework<br /> * Attempt to port daemon and library implemented for the Linux translation framework<br /> * If porting is not possible implement labelmapd and label mapping library<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> === Implement CALIPSO MLS Translation Module ===<br /> <br /> '''Description:'''<br /> This task is identical to the one listed under the Linux Prototype section.<br /> <br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> <br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-09-29T22:14:43Z <p>DaveQuigley: </p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task.<br /> <br /> == Task List ==<br /> <br /> '''Linux Prototype Tasks:'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> <br /> '''IETF Tasks:'''<br /> * Labeled NFS Scope Document<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks:'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module<br /> <br /> == Linux Prototype Tasks ==<br /> <br /> === Label Translation Framework ===<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Review existing label translation framework patches<br /> * Determine changes in NFS/User-space communication mechanisms since patches were written<br /> * Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> <br /> === NFSD Subject Context Selection ===<br /> <br /> '''Description:'''<br /> Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.<br /> <br /> '''Subtasks:'''<br /> * Start a list of potential external criteria to base labeling on<br /> * Design mechanism to allow kernel daemons to request a subject label based on these criteria<br /> * Implement mechanism<br /> <br /> <br /> '''Status:'''<br /> There currently is no progress on this task nor has anyone taken it as an item to work on.<br /> <br /> === RPCSECGSSv3 Implementation ===<br /> <br /> '''Description:'''<br /> After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.<br /> <br /> '''Subtasks:'''<br /> * Read Specification and study prior RPCSECGSS versions<br /> * Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)<br /> * Provide feedback to specification writers during implementation<br /> <br /> '''Status:'''<br /> There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.<br /> <br /> === MLS CALIPSO Translation Module ===<br /> <br /> '''Description:'''<br /> To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.<br /> '''Subtasks:'''<br /> * Evaluate Linux CIPSO Label implementation<br /> * Evaluate FreeBSD CIPSO Label implementation<br /> * Port implementations as necessary<br /> * Implement module<br /> <br /> '''Status:'''<br /> No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed<br /> <br /> == IETF Tasks ==<br /> <br /> == FreeBSD 8.0 Prototype Tasks ==</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-09-29T20:57:38Z <p>DaveQuigley: </p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task.<br /> <br /> == Task List ==<br /> <br /> '''Linux Prototype Tasks'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> <br /> '''IETF Tasks:'''<br /> * Labeled NFS Scope Document<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module<br /> <br /> == Linux Prototype Tasks ==<br /> <br /> === Label Translation Framework ===<br /> <br /> '''Description:'''<br /> To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.<br /> <br /> '''Subtasks:'''<br /> * Review existing label translation framework patches<br /> * Determine changes in NFS/User-space communication mechanisms since patches were written<br /> * Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd<br /> <br /> '''Status:'''<br /> When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.<br /> <br /> <br /> === Item ===<br /> <br /> '''Description:'''<br /> '''Subtasks:'''<br /> *<br /> '''Status:'''<br /> <br /> == IETF Tasks ==<br /> <br /> == FreeBSD 8.0 Prototype Tasks ==</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-09-29T20:12:17Z <p>DaveQuigley: </p> <hr /> <div>= Labeled NFS TODO List=<br /> <br /> This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task.<br /> <br /> == Task List ==<br /> <br /> '''Linux Prototype Tasks'''<br /> * Label Translation Framework<br /> * Provide a mechanism to allow NFSD to determine a context to perform operations as<br /> * Implement RPCSECGSSv3<br /> * Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)<br /> <br /> '''IETF Tasks:'''<br /> * Policy Format Specification Document<br /> * CALIPSO MLS Format Specification Document<br /> <br /> '''FreeBSD 8.0 Prototype Tasks'''<br /> * Implement MAC Recommended attribute<br /> * Implement RPCSECGSSv3<br /> * Implement Translation Framework<br /> * Implement CALIPSO MLS Translation Module</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS/TODO Labeled NFS/TODO 2009-09-29T20:04:00Z <p>DaveQuigley: New page: == Labeled NFS TODO List== This page contains === Headline text ===</p> <hr /> <div>== Labeled NFS TODO List==<br /> <br /> This page contains<br /> <br /> === Headline text ===</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T21:02:17Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.<br /> <br /> The first step is the clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.<br /> <br /> git-branch<br /> * lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/lnfs -b lnfs<br /> <br /> Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below. Copy this file into your source tree and rename it to .config.<br /> <br /> make menuconfig<br /> <br /> General setup ---&gt;<br /> [*] Auditing support<br /> Security options ---&gt;<br /> [*] Enable different security models<br /> [*] Socket and Networking Security Hooks<br /> [*] NSA SELinux Support<br /> File systems ---&gt;<br /> &lt;*&gt; Ext3 journalling file system support<br /> [*] Ext3 extended attributes<br /> [*] Ext3 Security Labels<br /> [*] Network File Systems ---&gt;<br /> &lt;*&gt; NFS file system support<br /> [*] Provide NFSv4 client support<br /> [*] Provide Security Label support for NFSv4 client<br /> &lt;*&gt; NFS server support<br /> [*] Provide NFSv4 server support<br /> [*] Provide Security Label support for NFSv4 server<br /> <br /> Finally build and install your tree with the commands below and either edit your boot loader to choose the new kernel as your default or select it from the menu on boot.<br /> <br /> make<br /> make modules_install install<br /> <br /> === NFS Utils ===<br /> <br /> This section explains how to build and install the modified NFS Utils package needed to export security labels. This is only needed on the server where exportfs does sanity checking on export arguments. If you are deploying this on several systems and have clients that don't intend to export any volumes you don't need to install this package on those clients. However you will still need it on the server.<br /> <br /> The first step is the clone the Labeled-NFS nfs-utils repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/nfs-utils<br /> <br /> This should give you the source tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.<br /> <br /> git-branch<br /> * lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/lnfs -b lnfs<br /> <br /> After this you can build the source tree with the commands below. The final command needs to be executed as root. If you run into any problems when executing the configuration command go back and make sure you have all the necessary development packages installed.<br /> <br /> sh autogen.sh<br /> ./configure<br /> make<br /> make install<br /> <br /> == Client &amp; Server Setup ==<br /> <br /> === Server ===<br /> <br /> The first thing to check is that the rpc filesystem is installed and mounted. If you use the default Fedora kernel config this will be the case. The issue here is that the init scripts for the NFS daemons tried to install the sunrpc module and if it can't then it doesn't even bother to try mounting the file system. When this is built into the kernel the modprobe will fail and the file system wont be mounted even though it can be. To check this issue the command below.<br /> <br /> # mount | grep rpc_pipefs<br /> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)<br /> <br /> If you did not see the output above add this line to your /etc/fstab file and then run mount -a.<br /> rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0<br /> <br /> After this we need to tell NFSD what to export make a directory called /export and then add the line below to your /etc/exports file. Note this is just an example the most important thing to have here is the security_label option which tells the server that it should export security_labels for this export.<br /> <br /> /export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync)<br /> <br /> The next step is to start the service, configure the nfs service to start on several runlevels, and verify the export.<br /> <br /> # service nfs start<br /> # chkconfig --level 345 nfs on<br /> # showmount -e<br /> <br /> Finally attempt to locally mount the file system and verify that it is using file labels.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 localhost:/ /mnt/nfsv4<br /> # grep security_label /proc/mounts<br /> <br /> === Client ===<br /> <br /> For the client setup is much simpler. First enable rpcidmapd with the command below.<br /> <br /> # /etc/init.d/rpcidmapd start<br /> # chkconfig --level 345 rpcidmapd on<br /> <br /> Then mount the export.<br /> <br /> # mkdir /mnt/nfsv4<br /> # mount -t nfs4 server:/ /mnt/nfsv4<br /> <br /> If the mount fails check to make sure all the necessary services are running on both ends and that your firewall isn't blocking NFSv4 traffic.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:43:15Z <p>DaveQuigley: /* Building &amp; Installing the Code */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.<br /> <br /> The first step is the clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.<br /> <br /> git-branch<br /> * lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/lnfs -b lnfs<br /> <br /> Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below. Copy this file into your source tree and rename it to .config.<br /> <br /> make menuconfig<br /> <br /> General setup ---&gt;<br /> [*] Auditing support<br /> Security options ---&gt;<br /> [*] Enable different security models<br /> [*] Socket and Networking Security Hooks<br /> [*] NSA SELinux Support<br /> File systems ---&gt;<br /> &lt;*&gt; Ext3 journalling file system support<br /> [*] Ext3 extended attributes<br /> [*] Ext3 Security Labels<br /> [*] Network File Systems ---&gt;<br /> &lt;*&gt; NFS file system support<br /> [*] Provide NFSv4 client support<br /> [*] Provide Security Label support for NFSv4 client<br /> &lt;*&gt; NFS server support<br /> [*] Provide NFSv4 server support<br /> [*] Provide Security Label support for NFSv4 server<br /> <br /> Finally build and install your tree with the commands below and either edit your boot loader to choose the new kernel as your default or select it from the menu on boot.<br /> <br /> make<br /> make modules_install install<br /> <br /> === NFS Utils ===<br /> <br /> This section explains how to build and install the modified NFS Utils package needed to export security labels. This is only needed on the server where exportfs does sanity checking on export arguments. If you are deploying this on several systems and have clients that don't intend to export any volumes you don't need to install this package on those clients. However you will still need it on the server.<br /> <br /> The first step is the clone the Labeled-NFS nfs-utils repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/nfs-utils<br /> <br /> This should give you the source tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.<br /> <br /> git-branch<br /> * lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/lnfs -b lnfs<br /> <br /> After this you can build the source tree with the commands below. The final command needs to be executed as root. If you run into any problems when executing the configuration command go back and make sure you have all the necessary development packages installed.<br /> <br /> sh autogen.sh<br /> ./configure<br /> make<br /> make install<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:37:21Z <p>DaveQuigley: /* Labeled-NFS Kernel */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.<br /> <br /> The first step is the clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.<br /> <br /> git-branch<br /> * lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/lnfs -b lnfs<br /> <br /> Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below. Copy this file into your source tree and rename it to .config.<br /> <br /> make menuconfig<br /> <br /> General setup ---&gt;<br /> [*] Auditing support<br /> Security options ---&gt;<br /> [*] Enable different security models<br /> [*] Socket and Networking Security Hooks<br /> [*] NSA SELinux Support<br /> File systems ---&gt;<br /> &lt;*&gt; Ext3 journalling file system support<br /> [*] Ext3 extended attributes<br /> [*] Ext3 Security Labels<br /> [*] Network File Systems ---&gt;<br /> &lt;*&gt; NFS file system support<br /> [*] Provide NFSv4 client support<br /> [*] Provide Security Label support for NFSv4 client<br /> &lt;*&gt; NFS server support<br /> [*] Provide NFSv4 server support<br /> [*] Provide Security Label support for NFSv4 server<br /> <br /> Finally build and install your tree with the commands below and either edit your boot loader to choose the new kernel as your default or select it from the menu on boot.<br /> <br /> make<br /> make modules_install install<br /> <br /> === NFS Utils ===<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:35:41Z <p>DaveQuigley: /* Labeled-NFS Kernel */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.<br /> <br /> The first step is the clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.<br /> <br /> git-branch<br /> * lnfs<br /> <br /> If instead you see * master then you can issue the following command to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/lnfs -b lnfs<br /> <br /> Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6. If you prefer to make your own kernel config use the kernel config menu to set the options below.<br /> <br /> make menuconfig<br /> <br /> General setup ---&gt;<br /> [*] Auditing support<br /> Security options ---&gt;<br /> [*] Enable different security models<br /> [*] Socket and Networking Security Hooks<br /> [*] NSA SELinux Support<br /> File systems ---&gt;<br /> &lt;*&gt; Ext3 journalling file system support<br /> [*] Ext3 extended attributes<br /> [*] Ext3 Security Labels<br /> [*] Network File Systems ---&gt;<br /> &lt;*&gt; NFS file system support<br /> [*] Provide NFSv4 client support<br /> [*] Provide Security Label support for NFSv4 client<br /> &lt;*&gt; NFS server support<br /> [*] Provide NFSv4 server support<br /> [*] Provide Security Label support for NFSv4 server<br /> <br /> === NFS Utils ===<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:31:07Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.<br /> <br /> The first step is the clone the Labeled-NFS kernel repository.<br /> <br /> git clone git://git.selinuxproject.org/~dpquigl/lnfs<br /> <br /> This should give you the kernel tree with the lnfs branch checked out. The lnfs branch is where all of the patches which provide the Labeled-NFS functionality are applied. You can double check this by issuing the command listed below which should give you the same output.<br /> <br /> git-branch<br /> * lnfs<br /> <br /> If instead you see * master then you can issue the following commands to checkout and track the lnfs branch.<br /> <br /> git-checkout origin/lnfs -b lnfs<br /> <br /> Once that is done we need to setup the kernel config for our build. A config file with the necessary options can be found at http://www.selinuxproject.org/~dpquigl/files/lnfs/config-2.6.28-rc6.<br /> <br /> <br /> <br /> === NFS Utils ===<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:17:28Z <p>DaveQuigley: /* Labeled-NFS Kernel */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> # yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> # yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.<br /> <br /> The first step is the clone the Labeled-NFS kernel repository.<br /> <br /> #<br /> <br /> === NFS Utils ===<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:16:59Z <p>DaveQuigley: /* Building &amp; Installing the Code */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> # yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> # yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> This section explains how to clone the Labeled-NFS Linux kernel repository and build and install the kernel. If you already know how to build a Linux kernel then you can skip to the section which explains how to enable the Labeled-NFS functionality.<br /> <br /> <br /> <br /> === NFS Utils ===<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:12:09Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building &amp; Installing the Code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> === Installing Development Packages ===<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> # yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> # yum install git<br /> <br /> === Labeled-NFS Kernel ===<br /> <br /> === nfs-utils ===<br /> <br /> <br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:09:51Z <p>DaveQuigley: /* Building the code */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building the code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> == Install development packages ==<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. <br /> <br /> # yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel \<br /> libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> <br /> Since all the Labeled-NFS code is published via git the next step is to install git if you do not already have it installed. <br /> <br /> # yum install git<br /> <br /> == Testing the code ==<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T20:01:08Z <p>DaveQuigley: /* Building the code */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building the code ==<br /> <br /> This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.<br /> <br /> The nfs-utils git tree requires the development version of several packages to be installed. These packages can be found in the command below.<br /> <br /> Install development packages:<br /> <br /> yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel<br /> <br /> == Testing the code ==<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T19:52:16Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Building the code ==<br /> <br /> == Testing the code ==<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-11-26T19:51:09Z <p>DaveQuigley: /* Getting the code */</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at http://git.selinuxproject.org/git/. <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt;<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-09T15:18:01Z <p>DaveQuigley: Comments about lnfs.git tree being unstable</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. For now use the second method to obtain the code until we have a working set of patches in the lnfs.git tree.<br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-build.txt nfs-build.txt:] Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-setup.txt nfs-setup.txt:] Instructions for setting up NFSv4 mounts and exports with label support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-label.patch nfs-label.patch:] Patch with kernel modifications to add Labeled-NFS support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:] Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T18:50:06Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML. <br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-build.txt nfs-build.txt:] Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-setup.txt nfs-setup.txt:] Instructions for setting up NFSv4 mounts and exports with label support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-label.patch nfs-label.patch:] Patch with kernel modifications to add Labeled-NFS support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:] Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 NFSv4WG Slides] Presentation by Dave Quigley given to the NFSv4 Working Group.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T18:43:17Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML. <br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-build.txt nfs-build.txt:] Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-setup.txt nfs-setup.txt:] Instructions for setting up NFSv4 mounts and exports with label support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-label.patch nfs-label.patch:] Patch with kernel modifications to add Labeled-NFS support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:] Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T18:42:23Z <p>DaveQuigley: Redid specification documents section</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML. <br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-build.txt nfs-build.txt:] Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-setup.txt nfs-setup.txt:] Instructions for setting up NFSv4 mounts and exports with label support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-label.patch nfs-label.patch:] Patch with kernel modifications to add Labeled-NFS support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:] Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements MAC Labeling Requirements and Problem Statement Page:] Main IETF document page for requirements and problem statement for MAC labeling support for NFSv4.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-00.txt draft-quigley-nfsv4-sec-label-requirements-00.txt:] Internet Draft submitted to the IEFT on 1 May 2008.<br /> ** [http://tools.ietf.org/draft/draft-quigley-nfsv4-sec-label-requirements/draft-quigley-nfsv4-sec-label-requirements-01.txt draft-quigley-nfsv4-sec-label-requirements-01.txt:] Internet Draft submitted to the IEFT on 24 June 2008.<br /> <br /> == Mailing Lists and Archives ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T18:07:59Z <p>DaveQuigley: Reformatting/rewording of the page and added another mailing list.</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Project News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML. <br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-build.txt nfs-build.txt:] Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-setup.txt nfs-setup.txt:] Instructions for setting up NFSv4 mounts and exports with label support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-label.patch nfs-label.patch:] Patch with kernel modifications to add Labeled-NFS support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:] Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> == Specification Documents ==<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.<br /> <br /> * [http://www.ietf.org/internet-drafts/draft-quigley-nfsv4-sec-label-requirements-00.txt MAC Security Label Requirements for NFSv4:] Internet Draft submitted to the IEFT on 30 April 2008.<br /> <br /> == Mailing Lists and Archives ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.<br /> <br /> * [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.<br /> <br /> == Presentations == <br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> == News Articles ==<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T18:01:15Z <p>DaveQuigley: Made it so the file names are the links.</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML. <br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-build.txt nfs-build.txt:] Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-setup.txt nfs-setup.txt:] Instructions for setting up NFSv4 mounts and exports with label support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-label.patch nfs-label.patch:] Patch with kernel modifications to add Labeled-NFS support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:] Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> <br /> == Resources ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Mailing List]<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt Requirements draft] (back when it was SELinux specific)<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> * [http://www.ietf.org/internet-drafts/draft-quigley-nfsv4-sec-label-requirements-00.txt MAC Security Label Requirements for NFSv4] Internet Draft submitted to the IEFT on 30 April 2008.<br /> <br /> <br /> &lt;br /&gt;<br /> [[Image:[[Media:Example.jpg]]]]</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T18:00:15Z <p>DaveQuigley: Added links to files for second option of getting the code.</p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML. <br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-build.txt] nfs-build.txt: Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-setup.txt] nfs-setup.txt: Instructions for setting up NFSv4 mounts and exports with label support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-label.patch] nfs-label.patch: Patch with kernel modifications to add Labeled-NFS support.<br /> * [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch] nfs-utils.patch: Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> <br /> == Resources ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Mailing List]<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt Requirements draft] (back when it was SELinux specific)<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> * [http://www.ietf.org/internet-drafts/draft-quigley-nfsv4-sec-label-requirements-00.txt MAC Security Label Requirements for NFSv4] Internet Draft submitted to the IEFT on 30 April 2008.<br /> <br /> <br /> &lt;br /&gt;<br /> [[Image:[[Media:Example.jpg]]]]</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T17:55:50Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> <br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == News ==<br /> <br /> None as of yet.<br /> <br /> == Getting the code ==<br /> <br /> There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work.<br /> These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML. <br /> <br /> The three trees that pertain to the Labeled-NFS work are:<br /> <br /> * users/dpquigl/lnfs.git<br /> <br /> * users/dpquigl/libnfsdoimap.git<br /> <br /> * users/dpquigl/nfs-utils.git<br /> <br /> To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for &lt;tree&gt;.<br /> <br /> git-clone git://git.selinuxproject.org/~dpquigl/&lt;tree&gt; <br /> <br /> The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.<br /> <br /> * nfs-build.txt: Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.<br /> * nfs-setup.txt: Instructions for setting up NFSv4 mounts and exports with label support.<br /> * nfs-label.patch: Patch with kernel modifications to add Labeled-NFS support.<br /> * nfs-utils.patch: Patch to add mount support to nfs-tuils for Labeled-NFS support.<br /> <br /> <br /> == Resources ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Mailing List]<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt Requirements draft] (back when it was SELinux specific)<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> * [http://www.ietf.org/internet-drafts/draft-quigley-nfsv4-sec-label-requirements-00.txt MAC Security Label Requirements for NFSv4] Internet Draft submitted to the IEFT on 30 April 2008.<br /> <br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Labeled_NFS Labeled NFS 2008-07-07T17:42:34Z <p>DaveQuigley: </p> <hr /> <div>== Introduction ==<br /> <br /> Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within [http://www.ietf.org/html.charters/nfsv4-charter.html NFSv4]<br /> Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. <br /> This page will contain news, sourcecode, documentation, and specification documents pertaining to the Labeled-NFS effort. <br /> At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. <br /> As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.<br /> <br /> == Resources ==<br /> <br /> * [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Mailing List]<br /> <br /> * [http://namei.org/lnfs/senfs-requirements-draft-06.txt Requirements draft] (back when it was SELinux specific)<br /> <br /> * [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.<br /> <br /> * [http://www.darkreading.com/document.asp?doc_id=148360&amp;WT.svl=news2_2 &quot;NSA Pushes ‘Labeled’ Access Control for NFS&quot;] Dark Reading coverage.<br /> <br /> * [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.<br /> <br /> * [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).<br /> <br /> * [http://www.ietf.org/internet-drafts/draft-quigley-nfsv4-sec-label-requirements-00.txt MAC Security Label Requirements for NFSv4] Internet Draft submitted to the IEFT on 30 April 2008.<br /> <br /> <br /> &lt;br /&gt;</div> DaveQuigley http://selinuxproject.org/page/Documentation_TODO Documentation TODO 2008-06-30T17:59:16Z <p>DaveQuigley: </p> <hr /> <div>* How to upgrade a system from a previously SELinux-disabled system (e.g. how to ensure any restored data like /home is correctly labeled)<br /> * Update and organize the Fedora SELinux FAQ.<br /> * Explain how and when to use semanage fcontext, port, login and user.<br /> * Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information.<br /> * Write a HOWTO for writing simple policy modules.<br /> * Write a HOWTO for how to iteratively generate policy using audit2allow and permissive domains.<br /> * A brief high-level user-oriented overview of SELinux which people can use to understand what SELinux does, how it's part of a defense in depth approach, the value it provides and what is involved in using it effectively (e.g. set expectations of benefit/cost).<br /> * Update FC5 FAQ<br /> * Translate danwalsh.livejounal.com in to a beginner user guide<br /> * Document all major policy domains, apache, samba, bind, ftp ... Basically man httpd_selinux, What are the types/booleans available for a particular domain, and how do I assign them<br /> * Document the use of the mount command for overriding file context.<br /> * Describe Leaked File Descriptors<br /> * Describe Audit2allow and how it can just Fix the machine<br /> * Document Network Labeling<br /> * Document Confined Users<br /> * Document HOWTO write setroubleshoot plugins<br /> * Explain least privilege and how you can consider it and SELinux during application development.<br /> * Document some common tasks performed with apol that might be useful to users.</div> DaveQuigley