[Gluster-devel] What's the status of selinux integration?

Niels de Vos ndevos at redhat.com
Sat Aug 8 17:04:00 UTC 2015 

On Fri, Aug 07, 2015 at 05:30:21PM -0700, Bob Arendt wrote:
> I'm currently using gluster 3.6.2, and I've been exploring the gluster docs
> and source trees.  The man pages seem to indicate that there *should*
> be selinux support, perhaps augmented by adding a --selinux argument
> to glusterd, glusterfsd, and adding a selinux option to the glusterfs mount.

The feature to support SElinux over FUSE mounts boils down to the mount
option "selinux":

  # mount -t glusterfs -o selinux storage.example.com:/volume /mnt

The /sbin/mount.glusterfs helper sctipt parses the "selinux" option and
passes the /usr/sbin/glusterfs binary the --selinux argument.

The option is only affecting the client-side. Without the option the
special SElinux extended attributes are filtered and not sent to the
bricks (maybe even with an error returned). As long as the bricks
support SElinux, everything is expected to work.

In case something is not working correctly, please provide the exact
steps to reproduce with a clear example in a bug report.

    https://bugzilla.redhat.com/enter_bug.cgi?Product=GlusterFS

Thanks,
Niels


> But it looks like the gluster implementation is incomplete (or there's
> a configuration option that I'm missing).  Despite asserting these
> options on every level, I am unable to change the security context
> on any file or directory.  It remains statically assigned to:
>   system_u:object_r:fusefs_t:s0
> The context on the underlying brick is ignored as well.
> 
> Looking at the source for glusterd on github (which normally starts
> glusterfsd instances), glusterd does not have a mechanism to place a
> "--selinux" argument on the glusterfsd command line.  Likewise, I don't
> see much in the source that actually refers to selinux.
> 
> Looking here:
> http://www.gluster.org/community/documentation/index.php/Features/SELinux_Integration
> 
> .. I think that "There's really not any coding involved in the gluster side ..."
> might not be correct.  We really need to be able set per-directory and per-file
> selinux contexts in subdirectories on gluster volumes.
> 
> Is there a plan or work being done that would support per-directory selinux contexts?
> 
> Let me apologize in advance if this work is complete and I've missed
> a configuration item to enable it.  But scouring the documentation and
> source code I could not find it.  Any help or information would be appreciated.
> 
> Thank you,
> -Bob Arendt
> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-devel

More information about the Gluster-devel mailing list