[Bugs] [Bug 1256635] Cannot set selinux context on files on a glusterfs mount
bugzilla at redhat.com
bugzilla at redhat.com
Fri Sep 11 00:16:10 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1256635
--- Comment #12 from Bob Arendt <rda at rincon.com> ---
The previous patch doesn't apply to RHEL 6. The API on security_fs_use() in
security/selinux/ss/services.c is different. The critical piece of the patch
fails.
On RHEL6: (in security/selinux/ss/services.c)
int security_fs_use(
const char *fstype,
unsigned int *behavior,
u32 *sid)
On RHEL7:
int security_fs_use(struct super_block *sb)
Looking at the patch from Anand Avati, almost ALL of it just adds diagnostic
info to printk() statements. The only piece that affects operation is in
security/selinux/ss/services.c. At this point he's searching for a policy
match to sb->s_type (which is fstype) and sb->s_subtype. But neither the
subtype or superblock is available in the RHEL6 version of security_fs_use().
I took a different tack. It turns out that security_fs_use() is *only* called
from selinux_get_mnt_opts() in security/selinux/hooks.c (the other file Anand
modified). It looks like an equivalent way to accomplish this was to create a
concatenation of fstype and subtype and pass that in the fstype to
security_fs_use(). The critical piece of the patch looks like this:
char type_subtype[256];
if (strcmp(sb->s_type->name, "proc") == 0) {
sbsec->flags |= SE_SBPROC;
strcpy(type_subtype, "proc");
} else {
int tlen;
tlen = strlcpy(type_subtype, sb->s_type->name, sizeof(type_subtype));
if (sb->s_subtype && sb->s_subtype[0] != '\0' && (tlen+2 <
sizeof(type_subtype))) {
type_subtype[tlen++] = '.';
strlcpy(type_subtype+tlen, sb->s_subtype, sizeof(type_subtype)-tlen);
}
}
rc = security_fs_use(type_subtype, &sbsec->behavior, &sbsec->sid);
I built this against kernel-2.6.32-504.el6.src.rpm, patching the
SPECS/kernel.spec (kernel.spec.patch), which adds the patch
SOURCES/kernel-2.6.32-glusterselinux.patch (both attached).
The build and kernel succeed, but we still see the original error.
Let's use systemtap for further diagnosis. I made a simple systemtap script:
----------------
# cat g.stp
probe begin
{
printf("Starting .. \n")
}
probe kernel.function("selinux_set_mnt_opts")
{
printf("opts:sb.type = %s\n", kernel_string($sb->s_type->name))
printf("opts:sb.HAS_SUBTYPE = %d\n", ($sb->s_type->fs_flags & 4))
st = $sb->s_subtype
if (st == 0) printf("opts:sb.s_subtype = NULL\n")
else printf("opts:sb.s_subtype = %s\n", kernel_string(st))
op = $sb->s_options
if (op == 0) printf("opts:sb.s_options = NULL\n")
else printf("opts:sb.s_options = %s\n", kernel_string(op))
}
probe kernel.function("security_fs_use")
{
printf(" fs.beg:fstype = %s\n", kernel_string($fstype))
}
probe kernel.function("security_fs_use").return
{
printf(" fs.end:behavior = %s\n", kernel_string($behavior))
printf(" fs.end:sid = %x\n", $sid)
}
----------------
When I run it, and then mount my gluster volume:
mount -t glusterfs -o selinux localhost:/gvol /data
[root at ga ~]# stap g.stp
Starting ..
opts:sb.type = fuse
opts:sb.HAS_SUBTYPE = 4
opts:sb.s_subtype = NULL
opts:sb.s_options = NULL
fs.beg:fstype = fuse
fs.end:behavior =
fs.end:sid = ffff88003b7113d8
Notice that even though the fs_flags bit for HAS_SUBTYPE is set, that the
subtype field "opts:sb.subtype = NULL". The issue is that the subtype
"glusterfs" is not added to sb->s_subtype record in the superblock. But it is
seen in /proc/mount
localhost:/gvol /data fuse.glusterfs
rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072
0 0
Any suggestions? Maybe the superblock isn't filled out yet? When does the
subtype get set, and does glusterfs do this?
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=MPzT1y8ofm&a=cc_unsubscribe
More information about the Bugs
mailing list