Bug#1005236: nfs-kernel-server 1.3.4 does not support security_label option for SELinux over NFS 4.2
Package: nfs-kernel-server
Version: 1:1.3.4-6
Severity: important
X-Debbugs-Cc: xkszltl@gmail.com
This is was initially handled by RHEL:
- https://bugzilla.redhat.com/show_bug.cgi?id=1406885
To summarize:
- SELinux label can be forwarded to client in NFS 4.2
- Kernel enabled that behavior by default for a while, and then disabled it later on due to complaints.
- Now it requires option `security_label` in export list.
- Debian 11's stock NFS doesn't support this option (`exportfs: /etc/exports:2: unknown keyword "security_label"` from `systemctl start nfs-server`).
- Debian can handle NFS 4.2 well and see remote SELinux labels as client, but cannot export its own when using as server.
There's an fix in upstream, which is only in 1.3.5-rc6:
- https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=13e2f9577b88d44001b509e89122ad907805b250
Prefer to have it backported (only a few lines of diff) to a stable version.
RedHat has done that for 1.3.0.
Or alternatively ship the rc version if it's stable enough.
-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 56383 mountd
100005 1 tcp 39155 mountd
100005 2 udp 44594 mountd
100005 2 tcp 33081 mountd
100005 3 udp 51860 mountd
100005 3 tcp 52315 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 53134 nlockmgr
100021 3 udp 53134 nlockmgr
100021 4 udp 53134 nlockmgr
100021 1 tcp 39965 nlockmgr
100021 3 tcp 39965 nlockmgr
100021 4 tcp 39965 nlockmgr
-- /etc/default/nfs-kernel-server --
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids"
NEED_SVCGSSD=""
RPCSVCGSSDOPTS=""
-- /etc/exports --
/Latte 10.0.0.0/8(rw,nohide,insecure,sync)
-- /proc/fs/nfs/exports --
# Version 1.1
# Path Client(Flags) # IPs
/Latte 10.0.0.0/8(rw,insecure,root_squash,sync,wdelay,nohide,no_subtree_check,uuid=f8703289:004ce25b:00000000:00000000,sec=1)
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-11-amd64 (SMP w/36 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages nfs-kernel-server depends on:
ii keyutils 1.6.1-2
ii libblkid1 2.36.1-8+deb11u1
ii libc6 2.31-13+deb11u2
ii libcap2 1:2.44-1
ii libsqlite3-0 3.34.1-3
ii libtirpc3 1.3.1-1
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii netbase 6.3
ii nfs-common 1:1.3.4-6
ii ucf 3.0043
nfs-kernel-server recommends no packages.
nfs-kernel-server suggests no packages.
-- no debconf information
Reply to: