[Gluster-devel] Steps needed to support SElinux over FUSE mounts
Niels de Vos
ndevos at redhat.com
Wed Dec 2 12:02:00 UTC 2015
At the moment it is not possible to set an SElinux context over a FUSE
mount. This is because FUSE (in the kernel) does not support SElinux.
I'll try to explain what we need to accomplish to get this working.
1. make it possible for SElinux to check sub-filesystems
Currently SElinux only can check if a filesystem supports SElinux,
based on the base filesystem. By default FUSE does not support
SElinux, so it is not possible for sub-filesystems to support it
either. When checking /proc/mounts a Gluster mount identifies itself
with "fuse.glusterfs", which is <mainfs>.<subfs>.
An experimental patch for the kernel has been attached to
2. inform FUSE that the glusterfs sub-filesystem supports SElinux
Mount options are passed on to the FUSE kernel module when mounting
takes place. Some options are user-space process specific and can get
filtered out, whereas others are passed to FUSE. We probably should
pass the "selinux" mount option on to the kernel (if not done
already). This includes making sure that other SElinux related mount
options are valid and applied (check /sbin/mount.glusterfs script?).
3. secured brick processes, storage servers in enforcing mode
Brick processes may only read/write contents in the brick directories
that have SElinux type glusterd_brick_t. This means that when a
client sets/reads a security.selinux extended attribute over a
mountpoint, the brick process needs to convert the request to a
trusted.gluster.selinux xattr. The security.selinux xattr on the
brick is used by the kernel on the storage server to prevent
unauthorized access to the contents in the brick directories. A
conversion security.selinux<->trusted.gluster.selinux could be done
in the Posix xlator, or in a new selinux one.
Related to this last point, add-brick (and remove-brick?) would need
to take care to set the right contexts of the brick directories. A
patch that adds helper scripts has been posted quite a while back
4. do we need to add libgfapi functions?
Not sure about this point yet. Maybe Samba, NFS-Ganesha (for labelled
NFS) or QEMU would like to be able to set specific SElinux contexts.
It would probably be cleaner to do this through an API call and not
have the applications set the security.selinux xattr itself.
Comments on this are much appreciated. Let me know if Manikandan and I
have missed something and we'll make sure to add it. Once we have
received a few replies, we will also post a description of how it all
hangs together to the glusterfs-specs repository .
Manikandan & Niels
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: not available
More information about the Gluster-devel