Overview
Security labels are a feature introduced with NFSv4.2 to implement Mandatory Access Control (MAC), where files and directories are assigned labels based on which access decisions are made. Security labels can be set and retrieved as attributes using the SETATTR and GETATTR RPCs.
VAST Cluster supports NFSv4.2 labeling in Limited Server Mode. In this mode, VAST Cluster can store and return security labels on NFSv4.2-enabled tenants, but it does not enforce label-based access decision-making. Label assignment and validation are done by NFSv4.2 clients.
The following rules and restriction applies:
Clients are not allowed to set security labels on the root directory of a tenant.
For non-labeled files or directories, the following default security context is reported:
unconfined_u:object_r:usr_t:s0
To let clients set and query NFSv4.2 security labels:
Enabling and Disabling NFSv4.2 for a Tenant
Support of NFSv4.2 can be enabled or disabled per VAST Cluster tenant.
To enable or disable NFSv4.2 for a tenant:
In VAST Web UI, toggle the Enable NFSv4.2 option in the Advanced tab of the Create Tenant or Update Tenant dialogs (Element Store -> Tenants -> choose to create or update a tenant).
In VAST CLI, run the
tenant createortenant modifycommand with the--enable-nfs-v4.2or--disable-nfs-v4.2option specified.
To view the current status of NFSv4.2 per tenant:
In VAST Web UI, go to Element Store -> Tenants and display the NFSv4.2 Protocol Support column.
In VAST CLI, run the
tenant listortenant showcommand and find theEnable NFSv4.2field in the output.
Configuring the View to Support NFSv4.2
Verify that NFSv4 is included in the list of protocols enabled for the view. (The NFSv4 option enables both NFSv4.1 and NFSv4.2.)
In VAST Web UI, open the general settings for the view (Element Store -> Views -> choose to display or edit a view -> go to General tab) and ensure that that the NFSv4 option is selected in the Protocols dropdown.
In VAST CLI, run the
view show --id <view ID>command and check thatProtocolsfield in the command output includesNFSv4. If not, run theview modify --id <view ID> --protocols NFS4command to enable NFSv4.1 and NFSv4.2 for the view.
Verifying Client and Mount Setup for NFSv4.2
On the client, complete the following steps:
Verify that SELinux status is enabled:
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33
Mount the file system from the VAST cluster:
$ sudo mount <tenant virtual IP>:/ /mnt
Verify that the mount is done using NFS version 4.2:
$ mount | grep mnt <tenant virtual IP>:/ on /mnt type nfs4 (rw,relatime,seclabel,vers=4.2,<...>)
Setting and Querying Security Labels
The following example shows how to set and query a security label on a file:
Note
As a prerequisite, complete the steps in Verifying Client and Mount Setup for NFSv4.2.
Display the security context for a file on the mount. Since no security label has yet been set, the default security context is shown:
$ ls -lZ /mnt/file.txt -rw-rw-r--. 1 user1 group1 unconfined_u:object_r:usr_t:s0 0 May 8 14:17 /mnt/file.txt
Run the SELinux
chconcommand to change the security context. You may also create your own SELinux policy and use therestoreconcommand to relabel files (see SELinux documentation for details).$ chcon -t var_t -u root /mnt/file.txt
Display the security context for the file again and check that the label has changed:
$ ls -lZ /mnt/file.txt -rw-rw-r--. 1 user1 group1 root:object_r:var_t:s0 0 May 8 14:17 /mnt/file.txt