[Gluster-devel] Steps needed to support SElinux over FUSE mounts

Niels de Vos ndevos at redhat.com
Wed Dec 2 12:02:00 UTC 2015 

Hi,

At the moment it is not possible to set an SElinux context over a FUSE
mount. This is because FUSE (in the kernel) does not support SElinux.
I'll try to explain what we need to accomplish to get this working.

1. make it possible for SElinux to check sub-filesystems

   Currently SElinux only can check if a filesystem supports SElinux,
   based on the base filesystem. By default FUSE does not support
   SElinux, so it is not possible for sub-filesystems to support it
   either. When checking /proc/mounts a Gluster mount identifies itself
   with "fuse.glusterfs", which is <mainfs>.<subfs>.

   An experimental patch for the kernel has been attached to
   https://bugzilla.redhat.com/1272868


2. inform FUSE that the glusterfs sub-filesystem supports SElinux

   Mount options are passed on to the FUSE kernel module when mounting
   takes place. Some options are user-space process specific and can get
   filtered out, whereas others are passed to FUSE. We probably should
   pass the "selinux" mount option on to the kernel (if not done
   already). This includes making sure that other SElinux related mount
   options are valid and applied (check /sbin/mount.glusterfs script?).


3. secured brick processes, storage servers in enforcing mode

   Brick processes may only read/write contents in the brick directories
   that have SElinux type glusterd_brick_t. This means that when a
   client sets/reads a security.selinux extended attribute over a
   mountpoint, the brick process needs to convert the request to a
   trusted.gluster.selinux xattr. The security.selinux xattr on the
   brick is used by the kernel on the storage server to prevent
   unauthorized access to the contents in the brick directories. A
   conversion security.selinux<->trusted.gluster.selinux could be done
   in the Posix xlator, or in a new selinux one.

   Related to this last point, add-brick (and remove-brick?) would need
   to take care to set the right contexts of the brick directories. A
   patch that adds helper scripts has been posted quite a while back
   already: http://review.gluster.org/6630


4. do we need to add libgfapi functions?

   Not sure about this point yet. Maybe Samba, NFS-Ganesha (for labelled
   NFS) or QEMU would like to be able to set specific SElinux contexts.
   It would probably be cleaner to do this through an API call and not
   have the applications set the security.selinux xattr itself.

Comments on this are much appreciated. Let me know if Manikandan and I
have missed something and we'll make sure to add it. Once we have
received a few replies, we will also post a description of how it all
hangs together to the glusterfs-specs repository [1].

Thanks,
Manikandan & Niels


1. https://github.com/gluster/glusterfs-specs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20151202/34e8b3da/attachment.sig>

More information about the Gluster-devel mailing list