[Bugs] [Bug 1256635] New: Cannot set selinux context on files on a glusterfs mount

bugzilla at redhat.com bugzilla at redhat.com
Tue Aug 25 07:19:13 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1256635

            Bug ID: 1256635
           Summary: Cannot set selinux context on files on a glusterfs
                    mount
           Product: Red Hat Gluster Storage
           Version: 3.1
         Component: glusterfs-fuse
          Keywords: Triaged
          Severity: high
          Assignee: rhs-bugs at redhat.com
          Reporter: bkunal at redhat.com
        QA Contact: storage-qa-internal at redhat.com
                CC: aavati at redhat.com, bugs at gluster.org, csaba at redhat.com,
                    gluster-bugs at redhat.com, mmadhusu at redhat.com,
                    nlevinki at redhat.com, rda at rincon.com
        Depends On: 1252627
             Group: redhat



+++ This bug was initially created as a clone of Bug #1252627 +++

Description of problem:
After creating a gluster volume on top of xfs partitions, and mounting that
volume, I'm unable to change the security context of files on the mounted
filesystem.

Version-Release number of selected component:  Tested with both

glusterfs-3.6.4-1.el6.x86_64
glusterfs-api-3.6.4-1.el6.x86_64
glusterfs-cli-3.6.4-1.el6.x86_64
glusterfs-debuginfo-3.6.4-1.el6.x86_64
glusterfs-extra-xlators-3.6.4-1.el6.x86_64
glusterfs-fuse-3.6.4-1.el6.x86_64
glusterfs-libs-3.6.4-1.el6.x86_64
glusterfs-server-3.6.4-1.el6.x86_64

glusterfs-3.7.3-1.el6.x86_64
glusterfs-api-3.7.3-1.el6.x86_64
glusterfs-cli-3.7.3-1.el6.x86_64
glusterfs-client-xlators-3.7.3-1.el6.x86_64
glusterfs-debuginfo-3.7.3-1.el6.x86_64
glusterfs-fuse-3.7.3-1.el6.x86_64
glusterfs-libs-3.7.3-1.el6.x86_64
glusterfs-server-3.7.3-1.el6.x86_64


How reproducible:  Always


Steps to Reproduce:  (for 3.7.3)
Built the latest RPM's from source from:
http://dl.fedoraproject.org/pub/epel/6/SRPMS/userspace-rcu-0.7.7-1.el6.src.rpm
http://download.gluster.org/pub/gluster/glusterfs/LATEST/RHEL/epel-6.6/SRPMS/glusterfs-3.7.3-1.el6.src.rpm

rpm -ivh glusterfs-3.7.3-1.el6.src.rpm
cd rpmbuild
rpmbuild -ba SPECS/glusterfs.spec |& tee log
  (put the rpm's in a private repository)

Create two test VM's, "ga" and "gb" using rhel66.  Each VM has partitions:
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vda8        6558440 2802892   3415736  46% /
tmpfs             510028       0    510028   0% /dev/shm
/dev/vda3         200000   10400    189600   6% /b1
/dev/vda5         200000   10400    189600   6% /b2
/dev/vda6         200000   10400    189600   6% /b3
/dev/vda7         200000   10400    189600   6% /b4
/dev/vda1         243823   28113    202910  13% /boot

/dev/vda1: UUID="d3642293-57b1-4988-ac4f-85b0635e64c6" TYPE="ext4" 
/dev/vda2: UUID="f08a07bf-9222-45c7-9fd1-4d33207a8b86" TYPE="swap" 
/dev/vda3: UUID="ae1d0314-c22d-401e-a1b9-cf30fa4c6542" TYPE="xfs" 
/dev/vda5: UUID="5d32686c-5f00-4a00-ac06-539d2b85110d" TYPE="xfs" 
/dev/vda6: UUID="97e56854-76e6-4484-9afb-c5f56907df6e" TYPE="xfs" 
/dev/vda7: UUID="9e4d2bd4-de96-43f0-9aa3-3769cb22d508" TYPE="xfs" 
/dev/vda8: UUID="0be135b1-9bd5-49f5-8b21-8f43367a825b" TYPE="ext4" 

For the test we're only using the /b1 partitions on each host as our test
bricks.

yum install glusterfs glusterfs-api glusterfs-cli glusterfs-client-xlators
glusterfs-debuginfo glusterfs-fuse glusterfs-libs glusterfs-server

Create the a replicated volume:
chkconfig glusterd on
service glusterd start
gluster peer probe ga
gluster peer probe gb

gluster volume create gvol replica 2 transport tcp ga:/b1 gb:/b1 force
gluster volume start  gvol
gluster volume set    gvol auth.allow ga,gb
gluster volume set    gvol nfs.disable on

gluster volume info
    Volume Name: gvol
    Type: Replicate
    Volume ID: 4eeb493c-ed5f-4c3b-8945-4d14848a95d5
    Status: Started
    Number of Bricks: 1 x 2 = 2
    Transport-type: tcp
    Bricks:
    Brick1: ga:/b1
    Brick2: gb:/b1
    Options Reconfigured:
    nfs.disable: on
    auth.allow: ga,gb
    performance.readdir-ahead: on

On each host, mount the volume
mkdir /data
mount -t glusterfs -o selinux localhost:/gvol /data

Check that the --selinux switch is asserted ... 
# ps -eo args |grep glust
/usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
/usr/sbin/glusterfsd -s gb --volfile-id gvol.gb.b1 -p
/var/lib/glusterd/vols/gvol/run/gb-b1.pid -S
/var/run/gluster/8dd23446126b2065164fdba21397998f.socket --brick-name /b1 -l
/var/log/glusterfs/bricks/b1.log --xlator-option
*-posix.glusterd-uuid=72fb7173-c1d3-4edd-b7e6-e7633e33358e --brick-port 49152
--xlator-option gvol-server.listen-port=49152
/usr/sbin/glusterfs -s localhost --volfile-id gluster/glustershd -p
/var/lib/glusterd/glustershd/run/glustershd.pid -l
/var/log/glusterfs/glustershd.log -S
/var/run/gluster/a8c70c7c13620b79a8b5d26757294453.socket --xlator-option
*replicate*.node-uuid=72fb7173-c1d3-4edd-b7e6-e7633e33358e
/usr/sbin/glusterfs --selinux --volfile-server=localhost --volfile-id=/gvol
/data


Make some directories and files:

mkdir -p /data/a/b/c
echo test file > /data/a/b/myfile

Now for the test ...

Actual results:
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /data/a/b/myfile

[root at ga ~]# chcon -t tftpdir_rw_t /data/a/b/myfile
chcon: failed to change context of `/data/a/b/myfile' to
`system_u:object_r:tftpdir_rw_t:s0': Operation not supported

[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /data/a/b/myfile


Expected results:
[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /data/a/b/myfile

[root at ga ~]# chcon -t tftpdir_rw_t /data/a/b/myfile

[root at ga ~]# ls -Z /data/a/b/myfile
-rw-r--r--. root root system_u:object_r:tftpdir_rw_t:s0    /data/a/b/myfile


Additional info:
Works on other file systems:
[root at ga ~]# touch /tmp/x
[root at ga ~]# ls -Z /tmp/x
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/x
[root at ga ~]# chcon -t tftpdir_rw_t /tmp/x
[root at ga ~]# ls -Z /tmp/x
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 /tmp/x

Both hosts have selinux enabled in permissive mode

The mount has selinux capability enabled.  Is there anything on the server side
that needs to be configured to enable selinux capability?


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1252627
[Bug 1252627] Cannot set selinux context on files in on a glusterfs mount
-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=apJqH0tq9l&a=cc_unsubscribe

More information about the Bugs mailing list