NFS mount fail
Paul Moore
paul at paul-moore.com
Fri May 5 14:03:48 UTC 2023
On Thu, May 4, 2023 at 9:00 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> On 5/4/2023 9:11 AM, Roberto Sassu wrote:
> > Hi Casey
> >
> > while developing the fix for overlayfs, I tried first to address the
> > issue of a NFS filesystem failing to mount.
> >
> > The NFS server does not like the packets sent by the client:
> >
> > 14:52:20.827208 IP (tos 0x0, ttl 64, id 60628, offset 0, flags [DF], proto TCP (6), length 72, options (unknown 134,EOL))
> > localhost.localdomain.omginitialrefs > _gateway.nfs: Flags [S], cksum 0x7618 (incorrect -> 0xa18c), seq 455337903, win 64240, options [mss 1460,sackOK,TS val 2178524519 ecr 0,nop,wscale 7], length 0
> > 14:52:20.827376 IP (tos 0xc0, ttl 64, id 5906, offset 0, flags [none], proto ICMP (1), length 112, options (unknown 134,EOL))
> > _gateway > localhost.localdomain: ICMP parameter problem - octet 22, length 80
> >
> > I looked at the possible causes. SELinux works properly.
>
> SELinux was the reference LSM implementation for labeled networking.
>
> > What it seems to happen is that there is a default netlabel mapping,
> > that is used to send the packets out.
>
> Correct. SELinux only uses CIPSO options for MLS.
SELinux can use the NetLabel/CIPSO "local" configuration to send a
full SELinux labels over a loopback connection.
* https://www.paul-moore.com/blog/d/2012/06/cipso_loopback_full_labels.html
There are several differences between how SELinux and Smack implement
labeled networking, one of the larger differences is that SELinux
leaves the labeling configuration, e.g. which networks/interfaces are
labeled and how, as a separate exercise for the admin whereas the
labeling configuration is much more integrated with Smack.
I wouldn't say one approach is better than the other, they are simply
different. The SELinux approach provides for the greatest amount of
flexibility with the understanding that more work needs to be done by
the admin. The Smack approach provides a quicker path to getting a
system up and running, but it is less flexible for challenging/mixed
network environments.
There are other issues around handling IPv6, the sockets-as-objects
debate, etc. but those shouldn't be relevant to this discussion.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list