[Bugs] [Bug 1252627] New: Cannot set selinux context on files in on a glusterfs mount
bugzilla at redhat.com
bugzilla at redhat.com
Tue Aug 11 23:12:50 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1252627
Bug ID: 1252627
Summary: Cannot set selinux context on files in on a glusterfs
mount
Product: GlusterFS
Version: 3.7.3
Component: unclassified
Severity: high
Assignee: bugs at gluster.org
Reporter: rda at rincon.com
CC: bugs at gluster.org, gluster-bugs at redhat.com
Description of problem:
After creating a gluster volume on top of xfs partitions, and mounting that
volume, I'm unable to change the security context of files on the mounted
filesystem.
Version-Release number of selected component: Tested with both
glusterfs-3.6.4-1.el6.x86_64
glusterfs-api-3.6.4-1.el6.x86_64
glusterfs-cli-3.6.4-1.el6.x86_64
glusterfs-debuginfo-3.6.4-1.el6.x86_64
glusterfs-extra-xlators-3.6.4-1.el6.x86_64
glusterfs-fuse-3.6.4-1.el6.x86_64
glusterfs-libs-3.6.4-1.el6.x86_64
glusterfs-server-3.6.4-1.el6.x86_64
glusterfs-3.7.3-1.el6.x86_64
glusterfs-api-3.7.3-1.el6.x86_64
glusterfs-cli-3.7.3-1.el6.x86_64
glusterfs-client-xlators-3.7.3-1.el6.x86_64
glusterfs-debuginfo-3.7.3-1.el6.x86_64
glusterfs-fuse-3.7.3-1.el6.x86_64
glusterfs-libs-3.7.3-1.el6.x86_64
glusterfs-server-3.7.3-1.el6.x86_64
How reproducible: Always
Steps to Reproduce: (for 3.7.3)
Built the latest RPM's from source from:
http://dl.fedoraproject.org/pub/epel/6/SRPMS/userspace-rcu-0.7.7-1.el6.src.rpm
http://download.gluster.org/pub/gluster/glusterfs/LATEST/RHEL/epel-6.6/SRPMS/glusterfs-3.7.3-1.el6.src.rpm
rpm -ivh glusterfs-3.7.3-1.el6.src.rpm
cd rpmbuild
rpmbuild -ba SPECS/glusterfs.spec |& tee log
(put the rpm's in a private repository)
Create two test VM's, "ga" and "gb" using rhel66. Each VM has partitions:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda8 6558440 2802892 3415736 46% /
tmpfs 510028 0 510028 0% /dev/shm
/dev/vda3 200000 10400 189600 6% /b1
/dev/vda5 200000 10400 189600 6% /b2
/dev/vda6 200000 10400 189600 6% /b3
/dev/vda7 200000 10400 189600 6% /b4
/dev/vda1 243823 28113 202910 13% /boot
/dev/vda1: UUID="d3642293-57b1-4988-ac4f-85b0635e64c6" TYPE="ext4"
/dev/vda2: UUID="f08a07bf-9222-45c7-9fd1-4d33207a8b86" TYPE="swap"
/dev/vda3: UUID="ae1d0314-c22d-401e-a1b9-cf30fa4c6542" TYPE="xfs"
/dev/vda5: UUID="5d32686c-5f00-4a00-ac06-539d2b85110d" TYPE="xfs"
/dev/vda6: UUID="97e56854-76e6-4484-9afb-c5f56907df6e" TYPE="xfs"
/dev/vda7: UUID="9e4d2bd4-de96-43f0-9aa3-3769cb22d508" TYPE="xfs"
/dev/vda8: UUID="0be135b1-9bd5-49f5-8b21-8f43367a825b" TYPE="ext4"
For the test we're only using the /b1 partitions on each host as our test
bricks.
yum install glusterfs glusterfs-api glusterfs-cli glusterfs-client-xlators
glusterfs-debuginfo glusterfs-fuse glusterfs-libs glusterfs-server
Create the a replicated volume:
chkconfig glusterd on
service glusterd start
gluster peer probe ga
gluster peer probe gb
gluster volume create gvol replica 2 transport tcp ga:/b1 gb:/b1 force
gluster volume start gvol
gluster volume set gvol auth.allow ga,gb
gluster volume set gvol nfs.disable on
gluster volume info
Volume Name: gvol
Type: Replicate
Volume ID: 4eeb493c-ed5f-4c3b-8945-4d14848a95d5
Status: Started
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: ga:/b1
Brick2: gb:/b1
Options Reconfigured:
nfs.disable: on
auth.allow: ga,gb
performance.readdir-ahead: on
On each host, mount the volume
mkdir /data
mount -t glusterfs -o selinux localhost:/gvol /data
Check that the --selinux switch is asserted ...
# ps -eo args |grep glust
/usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
/usr/sbin/glusterfsd -s gb --volfile-id gvol.gb.b1 -p
/var/lib/glusterd/vols/gvol/run/gb-b1.pid -S
/var/run/gluster/8dd23446126b2065164fdba21397998f.socket --brick-name /b1 -l
/var/log/glusterfs/bricks/b1.log --xlator-option
*-posix.glusterd-uuid=72fb7173-c1d3-4edd-b7e6-e7633e33358e --brick-port 49152
--xlator-option gvol-server.listen-port=49152
/usr/sbin/glusterfs -s localhost --volfile-id gluster/glustershd -p
/var/lib/glusterd/glustershd/run/glustershd.pid -l
/var/log/glusterfs/glustershd.log -S
/var/run/gluster/a8c70c7c13620b79a8b5d26757294453.socket --xlator-option
*replicate*.node-uuid=72fb7173-c1d3-4edd-b7e6-e7633e33358e
/usr/sbin/glusterfs --selinux --volfile-server=localhost --volfile-id=/gvol
/data
Make some directories and files:
mkdir -p /data/a/b/c
echo test file > /data/a/b/myfile
Now for the test ...
Actual results:
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0 /data/a/b/myfile
[root at ga ~]# chcon -t tftpdir_rw_t /data/a/b/myfile
chcon: failed to change context of `/data/a/b/myfile' to
`system_u:object_r:tftpdir_rw_t:s0': Operation not supported
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0 /data/a/b/myfile
Expected results:
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0 /data/a/b/myfile
[root at ga ~]# chcon -t tftpdir_rw_t /data/a/b/myfile
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:tftpdir_rw_t:s0 /data/a/b/myfile
Additional info:
Works on other file systems:
[root at ga ~]# touch /tmp/x
[root at ga ~]# ls -Z /tmp/x
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/x
[root at ga ~]# chcon -t tftpdir_rw_t /tmp/x
[root at ga ~]# ls -Z /tmp/x
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 /tmp/x
Both hosts have selinux enabled in permissive mode
The mount has selinux capability enabled. Is there anything on the server side
that needs to be configured to enable selinux capability?
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
More information about the Bugs
mailing list