[Gluster-devel] Steps needed to support SElinux over FUSE mounts
Niels de Vos
ndevos at redhat.com
Thu Dec 3 14:26:27 UTC 2015
On Wed, Dec 02, 2015 at 08:26:45PM -0500, Paul Moore wrote:
> On Wednesday, December 02, 2015 01:02:00 PM Niels de Vos wrote:
> > Hi,
> >
> > At the moment it is not possible to set an SElinux context over a FUSE
> > mount. This is because FUSE (in the kernel) does not support SElinux.
> > I'll try to explain what we need to accomplish to get this working.
> >
> > 1. make it possible for SElinux to check sub-filesystems
> >
> > Currently SElinux only can check if a filesystem supports SElinux,
> > based on the base filesystem. By default FUSE does not support
> > SElinux, so it is not possible for sub-filesystems to support it
> > either. When checking /proc/mounts a Gluster mount identifies itself
> > with "fuse.glusterfs", which is <mainfs>.<subfs>.
> >
> > An experimental patch for the kernel has been attached to
> > https://bugzilla.redhat.com/1272868
>
> I'm not very knowledgeable about gluster so I don't have much constructive to
> say about any of the points below, and my comments in the BZ above are still
> valid. I will say that I didn't have much luck getting a response from Eric,
> but I don't think that should stop anything at this point; if the gluster
> folks are okay with everything else, I have no problems with the proposed
> SELinux kernel bits (that weren't already mentioned in the BZ).
The approach looks good, but did not have any success with our testing
yet. The patch applied and running with the test-kernel does not make it
possible yet to change the SElinux context with "chcon". Even mounting
with the additional "seclabel" mount option does not help with that (but
it looks like a no-op in the kernel sources anyway).
# chcon -t home_user_t /mnt/README
chcon: failed to change context of ‘/mnt/README’ to ‘system_u:object_r:home_user_t:s0’: Operation not supported
Systemtap shows that the subtype is set correctly in the super_block at
the time selinux_sb_kern_mount() is called. I'm not sure what else is
needed to make this work. A suggestion what to check from a SElinux side
is welcome. The audit.log does not contain anything relevant at the time
of the mounting, maybe there is a way to enable more verbose logging of
some kind?
# stap vfs_kern_mount_subtype.stp
Beginning probe, press CTRL+C to exit...
vfs_kern_mount_subtype with subtype=glusterfs
mount_fs with type=fuse, subtype=glusterfs
security_sb_kern_mount with type=fuse, subtype=glusterfs
selinux_sb_kern_mount with type=fuse, subtype=glusterfs
selinux_parse_opts_str with options=seclabel
I've attached the systemtap script for reference.
Thanks,
Niels
-------------- next part --------------
#!/usr/bin/stap
#
# Script to help with investigation and debugging of the kernel patch posted at
# https://bugzilla.redhat.com/1272868
#
# This systemtap script will only work against a kernel that has the test-patch
# applied, otherwise you will get errors about unresolvable functions (most
# likely vfs_kern_mount_subtype).
#
probe begin
{
printf("Beginning probe, press CTRL+C to exit...\n");
}
probe kernel.function("vfs_kern_mount_subtype")
{
printf("vfs_kern_mount_subtype with subtype=%s\n",
kernel_string($subtype));
}
probe kernel.function("mount_fs")
{
printf("mount_fs with type=%s, subtype=%s\n",
kernel_string($type->name), kernel_string($subtype));
}
probe kernel.function("security_sb_kern_mount"),
kernel.function("selinux_sb_kern_mount")
{
printf("%s with type=%s, subtype=%s\n", probefunc(),
kernel_string($sb->s_type->name),
kernel_string($sb->s_subtype));
}
probe kernel.function("selinux_parse_opts_str")
{
printf("selinux_parse_opts_str with options=%s\n",
kernel_string($options));
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20151203/cb4d450b/attachment.sig>
More information about the Gluster-devel
mailing list