<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<div>Thank you so much Jiffin for the quick response! <br>
<br>
-Janak<br>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Jiffin Thottan <jthottan@redhat.com><br>
<b>Sent:</b> Thursday, June 20, 2019 11:58:52 PM<br>
<b>To:</b> Desai, Janak<br>
<b>Cc:</b> Gluster Devel; nfs-ganesha-devel<br>
<b>Subject:</b> Re: Quick question about the latest glusterfs and client side selinux support</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hi Janak,<br>
<br>
Currently, it is supported in glusterfs(from 2.8 onwards) and cephfs(already there in 2.7) for nfs-ganesha.<br>
<br>
--<br>
Jiffin<br>
<br>
----- Original Message -----<br>
From: "Janak Desai" <Janak.Desai@gtri.gatech.edu><br>
To: "Jiffin Tony Thottan" <jthottan@redhat.com><br>
Sent: Thursday, June 20, 2019 9:29:09 PM<br>
Subject: Re: Quick question about the latest glusterfs and client side selinux support<br>
<br>
Hi Jiffin,<br>
<br>
<br>
<br>
I came across your presentation “NFS-Ganesha Weather Report” that you gave at the FOSDEM’19 in early Feb this year. In that you mentioned that ongoing developments in v2.8 include “labelled NFS” support. I see that v2.8 is now out. Do you know if labelled
NFS support made it in? If it did, is it only supported in CEPHFS FSAL or any other FSALs also include the support for it? I took a cursory look at the release documents and didn’t see Labelled NFS in it, so thought I would bug you directly.
<br>
<br>
<br>
<br>
Thanks.<br>
<br>
<br>
<br>
-Janak<br>
<br>
<br>
<br>
<br>
<br>
From: Jiffin Tony Thottan <jthottan@redhat.com><br>
Date: Tuesday, August 28, 2018 at 12:50 AM<br>
To: Janak Desai <Janak.Desai@gtri.gatech.edu>, "ndevos@redhat.com" <ndevos@redhat.com>, "mselvaga@redhat.com" <mselvaga@redhat.com><br>
Cc: "paul@paul-moore.com" <paul@paul-moore.com><br>
Subject: Re: Quick question about the latest glusterfs and client side selinux support<br>
<br>
<br>
<br>
Hi Janak,<br>
<br>
Thanks for the interest. Basic selinux xlator is present at gluster server stack. It stores selinux context at the backend as a xattr. When we developed that xlator,<br>
<br>
at that point they were no client to test the functionality. Don't know whether required change in fuse got merged or not. As you mentioned ,here first we need to figure out<br>
<br>
whether issue is related to server. Can collect the packet trace using tcpdump from client and sent with mail during setting/getting selinux context.<br>
<br>
Regards,<br>
<br>
Jiffin<br>
<br>
<br>
<br>
On Tuesday 28 August 2018 04:14 AM, Desai, Janak wrote:<br>
<br>
Hi Niels, Manikandan, Jiffin,<br>
<br>
<br>
<br>
I work for Georgia Tech Research Institute’s CIPHER Lab and am investigating suitability of glusterfs for a couple of large upcoming projects. My ‘google research’ is yielding confusing and inconclusive results, so I thought I would try and reach out to some
of the core developers to get some clarity.<br>
<br>
<br>
<br>
We use SELinux extensively in our software solution. I am trying to find out if, with the latest version 4.1 of glusterfs running on the latest version of rhel, I should be able to associate and enforce selinux contexts from glusterfs clients. I see in the
3.11 release notes that the selinux feature was implemented but then I also see references to kernel work that is not done yet. I also could not find any documentation/examples on how to add/integrate this selinux translator to setup and enforce selinux labels
from the client side. In my simple test setup, which I mounted using the “selinux” option (which gluster does seem to recognize), I am getting the “operation not supported” error. I guess either I am not pulling in the selinux translator or I am running up
against other missing functionality in the kernel. I would really appreciate if you could clear this up for me. If I am not configuring my mount correctly, I would appreciate if you could point me to a document or an example. Our other option is lustre filesystem
since it does have a working client side association and enforcement of selinux contexts. However, lustre appears to be lot difficult to setup and maintain and I would rather use glusterfs. We need a distributed (or parallel) filesystem that can work with
Hadoop. If glusterfs doesn’t pan out then I will look at labelled nfs 4.2 that is now available in rhel7. However, my google research shows much more Hadoop affinity for glusterfs than nfs v4.
<br>
<br>
<br>
<br>
I am also copying Paul Moore, with whom I collaborated a few years ago as part of the team that took Linux through its common criteria evaluation, and who I haven’t bugged lately ☺, to see if he can shed some light any missing kernel dependencies. I am currently
testing with rhel7.5, but would be willing to try upstream kernel if have to get this proof of concept going. I know the underlying problem in the kernel is supporting extended attrs on FUSE file systems, but was wondering (and hoping) that at least setup/enforcement
of selinux contexts from client side for glusterfs is possible. <br>
<br>
<br>
<br>
Thanks.<br>
<br>
<br>
<br>
-Janak<br>
<br>
<br>
<br>
<br>
</div>
</span></font>
</body>
</html>