[Bugs] [Bug 1252627] New: Cannot set selinux context on files in on a glusterfs mount

bugzilla at redhat.com bugzilla at redhat.com
Tue Aug 11 23:12:50 UTC 2015


https://bugzilla.redhat.com/show_bug.cgi?id=1252627

            Bug ID: 1252627
           Summary: Cannot set selinux context on files in on a glusterfs
                    mount
           Product: GlusterFS
           Version: 3.7.3
         Component: unclassified
          Severity: high
          Assignee: bugs at gluster.org
          Reporter: rda at rincon.com
                CC: bugs at gluster.org, gluster-bugs at redhat.com



Description of problem:
After creating a gluster volume on top of xfs partitions, and mounting that
volume, I'm unable to change the security context of files on the mounted
filesystem.

Version-Release number of selected component:  Tested with both

glusterfs-3.6.4-1.el6.x86_64
glusterfs-api-3.6.4-1.el6.x86_64
glusterfs-cli-3.6.4-1.el6.x86_64
glusterfs-debuginfo-3.6.4-1.el6.x86_64
glusterfs-extra-xlators-3.6.4-1.el6.x86_64
glusterfs-fuse-3.6.4-1.el6.x86_64
glusterfs-libs-3.6.4-1.el6.x86_64
glusterfs-server-3.6.4-1.el6.x86_64

glusterfs-3.7.3-1.el6.x86_64
glusterfs-api-3.7.3-1.el6.x86_64
glusterfs-cli-3.7.3-1.el6.x86_64
glusterfs-client-xlators-3.7.3-1.el6.x86_64
glusterfs-debuginfo-3.7.3-1.el6.x86_64
glusterfs-fuse-3.7.3-1.el6.x86_64
glusterfs-libs-3.7.3-1.el6.x86_64
glusterfs-server-3.7.3-1.el6.x86_64


How reproducible:  Always


Steps to Reproduce:  (for 3.7.3)
Built the latest RPM's from source from:
http://dl.fedoraproject.org/pub/epel/6/SRPMS/userspace-rcu-0.7.7-1.el6.src.rpm
http://download.gluster.org/pub/gluster/glusterfs/LATEST/RHEL/epel-6.6/SRPMS/glusterfs-3.7.3-1.el6.src.rpm

rpm -ivh glusterfs-3.7.3-1.el6.src.rpm
cd rpmbuild
rpmbuild -ba SPECS/glusterfs.spec |& tee log
  (put the rpm's in a private repository)

Create two test VM's, "ga" and "gb" using rhel66.  Each VM has partitions:
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vda8        6558440 2802892   3415736  46% /
tmpfs             510028       0    510028   0% /dev/shm
/dev/vda3         200000   10400    189600   6% /b1
/dev/vda5         200000   10400    189600   6% /b2
/dev/vda6         200000   10400    189600   6% /b3
/dev/vda7         200000   10400    189600   6% /b4
/dev/vda1         243823   28113    202910  13% /boot

/dev/vda1: UUID="d3642293-57b1-4988-ac4f-85b0635e64c6" TYPE="ext4" 
/dev/vda2: UUID="f08a07bf-9222-45c7-9fd1-4d33207a8b86" TYPE="swap" 
/dev/vda3: UUID="ae1d0314-c22d-401e-a1b9-cf30fa4c6542" TYPE="xfs" 
/dev/vda5: UUID="5d32686c-5f00-4a00-ac06-539d2b85110d" TYPE="xfs" 
/dev/vda6: UUID="97e56854-76e6-4484-9afb-c5f56907df6e" TYPE="xfs" 
/dev/vda7: UUID="9e4d2bd4-de96-43f0-9aa3-3769cb22d508" TYPE="xfs" 
/dev/vda8: UUID="0be135b1-9bd5-49f5-8b21-8f43367a825b" TYPE="ext4" 

For the test we're only using the /b1 partitions on each host as our test
bricks.

yum install glusterfs glusterfs-api glusterfs-cli glusterfs-client-xlators
glusterfs-debuginfo glusterfs-fuse glusterfs-libs glusterfs-server

Create the a replicated volume:
chkconfig glusterd on
service glusterd start
gluster peer probe ga
gluster peer probe gb

gluster volume create gvol replica 2 transport tcp ga:/b1 gb:/b1 force
gluster volume start  gvol
gluster volume set    gvol auth.allow ga,gb
gluster volume set    gvol nfs.disable on

gluster volume info
    Volume Name: gvol
    Type: Replicate
    Volume ID: 4eeb493c-ed5f-4c3b-8945-4d14848a95d5
    Status: Started
    Number of Bricks: 1 x 2 = 2
    Transport-type: tcp
    Bricks:
    Brick1: ga:/b1
    Brick2: gb:/b1
    Options Reconfigured:
    nfs.disable: on
    auth.allow: ga,gb
    performance.readdir-ahead: on

On each host, mount the volume
mkdir /data
mount -t glusterfs -o selinux localhost:/gvol /data

Check that the --selinux switch is asserted ... 
# ps -eo args |grep glust
/usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
/usr/sbin/glusterfsd -s gb --volfile-id gvol.gb.b1 -p
/var/lib/glusterd/vols/gvol/run/gb-b1.pid -S
/var/run/gluster/8dd23446126b2065164fdba21397998f.socket --brick-name /b1 -l
/var/log/glusterfs/bricks/b1.log --xlator-option
*-posix.glusterd-uuid=72fb7173-c1d3-4edd-b7e6-e7633e33358e --brick-port 49152
--xlator-option gvol-server.listen-port=49152
/usr/sbin/glusterfs -s localhost --volfile-id gluster/glustershd -p
/var/lib/glusterd/glustershd/run/glustershd.pid -l
/var/log/glusterfs/glustershd.log -S
/var/run/gluster/a8c70c7c13620b79a8b5d26757294453.socket --xlator-option
*replicate*.node-uuid=72fb7173-c1d3-4edd-b7e6-e7633e33358e
/usr/sbin/glusterfs --selinux --volfile-server=localhost --volfile-id=/gvol
/data


Make some directories and files:

mkdir -p /data/a/b/c
echo test file > /data/a/b/myfile

Now for the test ...

Actual results:
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /data/a/b/myfile

[root at ga ~]# chcon -t tftpdir_rw_t /data/a/b/myfile
chcon: failed to change context of `/data/a/b/myfile' to
`system_u:object_r:tftpdir_rw_t:s0': Operation not supported

[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /data/a/b/myfile


Expected results:
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /data/a/b/myfile

[root at ga ~]# chcon -t tftpdir_rw_t /data/a/b/myfile

[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:tftpdir_rw_t:s0    /data/a/b/myfile


Additional info:
Works on other file systems:
[root at ga ~]# touch /tmp/x
[root at ga ~]# ls -Z /tmp/x
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/x
[root at ga ~]# chcon -t tftpdir_rw_t /tmp/x
[root at ga ~]# ls -Z /tmp/x
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 /tmp/x

Both hosts have selinux enabled in permissive mode

The mount has selinux capability enabled.  Is there anything on the server side
that needs to be configured to enable selinux capability?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.


More information about the Bugs mailing list