Hello,
Could anyone advice on how to make SELinux run on a diskless client with NFS root?
It is a Fedora 26 system. I'm mounting with NFS flags to enable SELinux labels.
... root=nfs4:mimmi:/remote/pluto,seclabel,vers=4.2 rootfstype=nfs4 rootflags=seclabel,vers=4.2 ...
(I guess I'm duplicating things here. Google have found different suggestions in different places. I've added all of them for now.)
Listing directories after the system comes up shows all labels as expected. For example
[goeran@pluto ~]$ ls -lZ /usr/lib/systemd/systemd -rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1183248 27 jun 23.49 /usr/lib/systemd/systemd
But the processes don't wind up in the correct domains. Process 1 remains in kernel_t. A lot of other processes too, but I guess the underlying reason is process 1.
[goeran@pluto ~]$ ps -Zp 1 LABEL PID TTY TIME CMD system_u:system_r:kernel_t:s0 1 ? 00:00:24 systemd
The only exception is when I login via SSH. Those processes wind up in the unconfined_t domain. SSHD seems to still do the right thing, and from there it appears to work. E.g. if I start a dbus-daemon in the SSH session, it runs in unconfined_dbusd_t.
I run this system in permissive mode, so things do work. But I naturally do get a lot of AVCs. Of course, I would prefer to make SELinux enforced if possible.
Anyone has any tips?
On Tue, Oct 24, 2017 at 06:36:38PM +0200, Göran Uddeborg wrote:
Hello,
Could anyone advice on how to make SELinux run on a diskless client with NFS root?
It is a Fedora 26 system. I'm mounting with NFS flags to enable SELinux labels.
... root=nfs4:mimmi:/remote/pluto,seclabel,vers=4.2 rootfstype=nfs4 rootflags=seclabel,vers=4.2 ...
(I guess I'm duplicating things here. Google have found different suggestions in different places. I've added all of them for now.)
Listing directories after the system comes up shows all labels as expected. For example
[goeran@pluto ~]$ ls -lZ /usr/lib/systemd/systemd -rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1183248 27 jun 23.49 /usr/lib/systemd/systemd
But the processes don't wind up in the correct domains. Process 1 remains in kernel_t. A lot of other processes too, but I guess the underlying reason is process 1.
[goeran@pluto ~]$ ps -Zp 1 LABEL PID TTY TIME CMD system_u:system_r:kernel_t:s0 1 ? 00:00:24 systemd
The only exception is when I login via SSH. Those processes wind up in the unconfined_t domain. SSHD seems to still do the right thing, and from there it appears to work. E.g. if I start a dbus-daemon in the SSH session, it runs in unconfined_dbusd_t.
I run this system in permissive mode, so things do work. But I naturally do get a lot of AVCs. Of course, I would prefer to make SELinux enforced if possible.
Anyone has any tips?
I'd be interested in your setup if it's possible.
I was able to boot only to a system with nfs_t labels everywhere. It seems to be a result of how and when dracut mounts /sysroot. At that moment, SELinux policy is not loaded yet and a filesystem is mounted without 'seclabel' and it doesn't remount it after the policy is loaded.
As a workaround, I appended rd.break to kernel and run the following steps in dracut shell - which could be probably transformed to a dracut module:
switch_root:/# umount /sysroot/var/lib/nfs/rpc_pipefs switch_root:/# chroot /sysroot load_policy -i switch_root:/# umount /sysroot/sys/fs/selinux switch_root:/# umount /sysroot/sys switch_root:/# umount /sysroot/ switch_root:/# mount -v -o v4.2 192.168.170.1:/export/root/rawhide /sysroot switch_root:/# mount | grep sysroot 192.168.170.1:/export/root/rawhide on /sysroot type nfs4 (rw,relatime,seclabel,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.170.161,local_lock=none,addr=192.168.170.1) switch_root:/# exit
And after the system finished boot, everything looks correct.
# ps axZ | grep systemd system_u:system_r:init_t:s0 1 ? Ss 0:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 25 system_u:system_r:syslogd_t:s0 670 ? Ss 0:00 /usr/lib/systemd/systemd-journald system_u:system_r:udev_t:s0-s0:c0.c1023 699 ? Ss 0:00 /usr/lib/systemd/systemd-udevd system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 789 ? Ssl 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only system_u:system_r:systemd_logind_t:s0 1046 ? Ss 0:00 /usr/lib/systemd/systemd-logind unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1087 ? Ss 0:00 /usr/lib/systemd/systemd --user --log-level=debug
Petr
Petr Lautrbach:
I'd be interested in your setup if it's possible.
Sure!
But first, thanks for your input! I'll study it further.
"Setup" is is a bit vague, I'll try to include what I can think of. Let me know if you think of something I forgot.
On the server (mimmi) side, I export /remote/pluto to become the root of the client (pluto). In order to work around the problem described in https://bugzilla.redhat.com/show_bug.cgi?id=1480848 I also export the directory above, /remote. Excerpt from /etc/exports:
/remote pluto(rw,sync,no_root_squash,security_label) /remote/pluto pluto(rw,sync,no_root_squash,security_label) /var 172.17.0.0/18(rw,sync,no_root_squash,security_label) /var/lib/TV pluto(rw,sync,security_label) ...
On the client, I mount root and /var/lib/TV in /etc/fstab. (Since root is mounted earlier, I guess only the latter really matters.)
mimmi:/remote/pluto / nfs defaults,seclabel,vers=4.2 0 0 mimmi:/var/lib/TV /var/lib/TV nfs defaults,seclabel,vers=4.2,comment=systemd.automount 0 0
On the boot line I add some additional parameters, as mentioned previously. The complete line looks like this, taken from /var/lib/tftpboot/pxelinux.cfg/AC110005 on the server. I don't know how much of it actually is needed.
label Current kernel vmlinuz-4.12.14-300.fc26.x86_64 append initrd=initramfs-4.12.14-300.fc26.x86_64.img root=nfs4:mimmi:/remote/pluto,seclabel,vers=4.2 rootfstype=nfs4 rootflags=seclabel,vers=4.2 rd.nfs.domain=uddeborg rw acpi_enforce_resources=lax LANG=sv_SE.UTF-8 vconsole.font=latarcyrheb-sun16 vconsole.keymap=sv-latin1 loglevel=8 drm_kms_helper.edid_firmware=VGA-1:edid/Philips-TV.bin
It doesn't seem possible to SET the labels over NFS, even when they can be seen. That is something dracut tries to do when building the initramfs. For that reason, I tell dracut to use /tmp instead of the default /var/tmp as /tmp is a local tmpfs file system where labels can be set. From /etc/dracut.conf.d/fs-etiketter.conf:
tmpdir="/tmp"
That is what I can think of as relevant parts of the setup. It results in a system that comes up with visible SELinux labels on the files. But as I mentioned, most processes run in the kernel_t domain.
It is interesting you got it to work. My understanding of dracut and all its modules isn't exactly clear. I'll look closer in what you did and see if I can understand what makes this work, and wny it is different when booting from NFS compared to when booting from a local disk.
selinux@lists.fedoraproject.org