[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1005236: nfs-kernel-server 1.3.4 does not support security_label option for SELinux over NFS 4.2

Package: nfs-kernel-server
Version: 1:1.3.4-6
Severity: important
X-Debbugs-Cc: xkszltl@gmail.com


This is was initially handled by RHEL:
- https://bugzilla.redhat.com/show_bug.cgi?id=1406885

To summarize:
- SELinux label can be forwarded to client in NFS 4.2
- Kernel enabled that behavior by default for a while, and then disabled it later on due to complaints.
- Now it requires option `security_label` in export list.
- Debian 11's stock NFS doesn't support this option (`exportfs: /etc/exports:2: unknown keyword "security_label"` from `systemctl start nfs-server`).
- Debian can handle NFS 4.2 well and see remote SELinux labels as client, but cannot export its own when using as server.

There's an fix in upstream, which is only in 1.3.5-rc6:
- https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=13e2f9577b88d44001b509e89122ad907805b250

Prefer to have it backported (only a few lines of diff) to a stable version.
RedHat has done that for 1.3.0.
Or alternatively ship the rc version if it's stable enough.


-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  56383  mountd
    100005    1   tcp  39155  mountd
    100005    2   udp  44594  mountd
    100005    2   tcp  33081  mountd
    100005    3   udp  51860  mountd
    100005    3   tcp  52315  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049
    100003    3   udp   2049  nfs
    100227    3   udp   2049
    100021    1   udp  53134  nlockmgr
    100021    3   udp  53134  nlockmgr
    100021    4   udp  53134  nlockmgr
    100021    1   tcp  39965  nlockmgr
    100021    3   tcp  39965  nlockmgr
    100021    4   tcp  39965  nlockmgr
-- /etc/default/nfs-kernel-server --
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids"
NEED_SVCGSSD=""
RPCSVCGSSDOPTS=""
-- /etc/exports --
/Latte           10.0.0.0/8(rw,nohide,insecure,sync)
-- /proc/fs/nfs/exports --
# Version 1.1
# Path Client(Flags) # IPs
/Latte	10.0.0.0/8(rw,insecure,root_squash,sync,wdelay,nohide,no_subtree_check,uuid=f8703289:004ce25b:00000000:00000000,sec=1)

-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-11-amd64 (SMP w/36 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages nfs-kernel-server depends on:
ii  keyutils      1.6.1-2
ii  libblkid1     2.36.1-8+deb11u1
ii  libc6         2.31-13+deb11u2
ii  libcap2       1:2.44-1
ii  libsqlite3-0  3.34.1-3
ii  libtirpc3     1.3.1-1
ii  libwrap0      7.6.q-31
ii  lsb-base      11.1.0
ii  netbase       6.3
ii  nfs-common    1:1.3.4-6
ii  ucf           3.0043

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information
Reply to: