[Gluster-devel] Steps needed to support SElinux over FUSE mounts

Paul Moore pmoore at redhat.com
Thu Dec 3 01:26:45 UTC 2015 

On Wednesday, December 02, 2015 01:02:00 PM Niels de Vos wrote:
> Hi,
> 
> At the moment it is not possible to set an SElinux context over a FUSE
> mount. This is because FUSE (in the kernel) does not support SElinux.
> I'll try to explain what we need to accomplish to get this working.
> 
> 1. make it possible for SElinux to check sub-filesystems
> 
>    Currently SElinux only can check if a filesystem supports SElinux,
>    based on the base filesystem. By default FUSE does not support
>    SElinux, so it is not possible for sub-filesystems to support it
>    either. When checking /proc/mounts a Gluster mount identifies itself
>    with "fuse.glusterfs", which is <mainfs>.<subfs>.
> 
>    An experimental patch for the kernel has been attached to
>    https://bugzilla.redhat.com/1272868

I'm not very knowledgeable about gluster so I don't have much constructive to 
say about any of the points below, and my comments in the BZ above are still 
valid.  I will say that I didn't have much luck getting a response from Eric, 
but I don't think that should stop anything at this point; if the gluster 
folks are okay with everything else, I have no problems with the proposed 
SELinux kernel bits (that weren't already mentioned in the BZ).

> 2. inform FUSE that the glusterfs sub-filesystem supports SElinux
> 
>    Mount options are passed on to the FUSE kernel module when mounting
>    takes place. Some options are user-space process specific and can get
>    filtered out, whereas others are passed to FUSE. We probably should
>    pass the "selinux" mount option on to the kernel (if not done
>    already). This includes making sure that other SElinux related mount
>    options are valid and applied (check /sbin/mount.glusterfs script?).
> 
> 
> 3. secured brick processes, storage servers in enforcing mode
> 
>    Brick processes may only read/write contents in the brick directories
>    that have SElinux type glusterd_brick_t. This means that when a
>    client sets/reads a security.selinux extended attribute over a
>    mountpoint, the brick process needs to convert the request to a
>    trusted.gluster.selinux xattr. The security.selinux xattr on the
>    brick is used by the kernel on the storage server to prevent
>    unauthorized access to the contents in the brick directories. A
>    conversion security.selinux<->trusted.gluster.selinux could be done
>    in the Posix xlator, or in a new selinux one.
> 
>    Related to this last point, add-brick (and remove-brick?) would need
>    to take care to set the right contexts of the brick directories. A
>    patch that adds helper scripts has been posted quite a while back
>    already: http://review.gluster.org/6630
> 
> 
> 4. do we need to add libgfapi functions?
> 
>    Not sure about this point yet. Maybe Samba, NFS-Ganesha (for labelled
>    NFS) or QEMU would like to be able to set specific SElinux contexts.
>    It would probably be cleaner to do this through an API call and not
>    have the applications set the security.selinux xattr itself.
> 
> Comments on this are much appreciated. Let me know if Manikandan and I
> have missed something and we'll make sure to add it. Once we have
> received a few replies, we will also post a description of how it all
> hangs together to the glusterfs-specs repository [1].
> 
> Thanks,
> Manikandan & Niels
> 
> 1. https://github.com/gluster/glusterfs-specs

-- 
paul moore
security @ redhat

More information about the Gluster-devel mailing list