Package: nfs-kernel-server Version: 1:1.3.4-6 Severity: important X-Debbugs-Cc: [email protected]
This is was initially handled by RHEL: - https://bugzilla.redhat.com/show_bug.cgi?id=1406885 To summarize: - SELinux label can be forwarded to client in NFS 4.2 - Kernel enabled that behavior by default for a while, and then disabled it later on due to complaints. - Now it requires option `security_label` in export list. - Debian 11's stock NFS doesn't support this option (`exportfs: /etc/exports:2: unknown keyword "security_label"` from `systemctl start nfs-server`). - Debian can handle NFS 4.2 well and see remote SELinux labels as client, but cannot export its own when using as server. There's an fix in upstream, which is only in 1.3.5-rc6: - https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=13e2f9577b88d44001b509e89122ad907805b250 Prefer to have it backported (only a few lines of diff) to a stable version. RedHat has done that for 1.3.0. Or alternatively ship the rc version if it's stable enough. -- Package-specific info: -- rpcinfo -- program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100005 1 udp 56383 mountd 100005 1 tcp 39155 mountd 100005 2 udp 44594 mountd 100005 2 tcp 33081 mountd 100005 3 udp 51860 mountd 100005 3 tcp 52315 mountd 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 3 tcp 2049 100003 3 udp 2049 nfs 100227 3 udp 2049 100021 1 udp 53134 nlockmgr 100021 3 udp 53134 nlockmgr 100021 4 udp 53134 nlockmgr 100021 1 tcp 39965 nlockmgr 100021 3 tcp 39965 nlockmgr 100021 4 tcp 39965 nlockmgr -- /etc/default/nfs-kernel-server -- RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS="--manage-gids" NEED_SVCGSSD="" RPCSVCGSSDOPTS="" -- /etc/exports -- /Latte 10.0.0.0/8(rw,nohide,insecure,sync) -- /proc/fs/nfs/exports -- # Version 1.1 # Path Client(Flags) # IPs /Latte 10.0.0.0/8(rw,insecure,root_squash,sync,wdelay,nohide,no_subtree_check,uuid=f8703289:004ce25b:00000000:00000000,sec=1) -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-11-amd64 (SMP w/36 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages nfs-kernel-server depends on: ii keyutils 1.6.1-2 ii libblkid1 2.36.1-8+deb11u1 ii libc6 2.31-13+deb11u2 ii libcap2 1:2.44-1 ii libsqlite3-0 3.34.1-3 ii libtirpc3 1.3.1-1 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii netbase 6.3 ii nfs-common 1:1.3.4-6 ii ucf 3.0043 nfs-kernel-server recommends no packages. nfs-kernel-server suggests no packages. -- no debconf information
