[Gluster-devel] Steps needed to support SElinux over FUSE mounts
Niels de Vos
ndevos at redhat.com
Thu Dec 3 17:58:24 UTC 2015
On Thu, Dec 03, 2015 at 10:30:49AM -0500, Brian Foster wrote:
> On Thu, Dec 03, 2015 at 03:26:27PM +0100, Niels de Vos wrote:
> > On Wed, Dec 02, 2015 at 08:26:45PM -0500, Paul Moore wrote:
> > > On Wednesday, December 02, 2015 01:02:00 PM Niels de Vos wrote:
> > > > Hi,
> > > >
> > > > At the moment it is not possible to set an SElinux context over a FUSE
> > > > mount. This is because FUSE (in the kernel) does not support SElinux.
> > > > I'll try to explain what we need to accomplish to get this working.
> > > >
> > > > 1. make it possible for SElinux to check sub-filesystems
> > > >
> > > > Currently SElinux only can check if a filesystem supports SElinux,
> > > > based on the base filesystem. By default FUSE does not support
> > > > SElinux, so it is not possible for sub-filesystems to support it
> > > > either. When checking /proc/mounts a Gluster mount identifies itself
> > > > with "fuse.glusterfs", which is <mainfs>.<subfs>.
> > > >
> > > > An experimental patch for the kernel has been attached to
> > > > https://bugzilla.redhat.com/1272868
> > >
> > > I'm not very knowledgeable about gluster so I don't have much constructive to
> > > say about any of the points below, and my comments in the BZ above are still
> > > valid. I will say that I didn't have much luck getting a response from Eric,
> > > but I don't think that should stop anything at this point; if the gluster
> > > folks are okay with everything else, I have no problems with the proposed
> > > SELinux kernel bits (that weren't already mentioned in the BZ).
> >
> > The approach looks good, but did not have any success with our testing
> > yet. The patch applied and running with the test-kernel does not make it
> > possible yet to change the SElinux context with "chcon". Even mounting
> > with the additional "seclabel" mount option does not help with that (but
> > it looks like a no-op in the kernel sources anyway).
> >
> > # chcon -t home_user_t /mnt/README
> > chcon: failed to change context of ‘/mnt/README’ to ‘system_u:object_r:home_user_t:s0’: Operation not supported
> >
> > Systemtap shows that the subtype is set correctly in the super_block at
> > the time selinux_sb_kern_mount() is called. I'm not sure what else is
> > needed to make this work. A suggestion what to check from a SElinux side
> > is welcome. The audit.log does not contain anything relevant at the time
> > of the mounting, maybe there is a way to enable more verbose logging of
> > some kind?
> >
>
> I believe fuse modifications are required to enable SELinux support via
> xattrs. I had posted some prototype patches a ways back:
>
> http://sourceforge.net/p/fuse/mailman/fuse-devel/thread/1385389343-55663-1-git-send-email-bfoster%40redhat.com/#msg31678712
>
> These patches basically add the ability for the userspace fs to enable
> selinux in fuse, add the hooks for fuse to initialize security properly
> on new inodes (fairly boilerplate if you take a look at some other linux
> fs'), and add a notification mechanism to help userspace invalidate the
> security context on remote context changes.
Great, thanks! That looks surely like one of the pieces that I was
missing. Looks straight forward enough to update the patches for a more
current kernel, will let you know how that goes.
> IIRC, the latter is required since otherwise the security context is
> initialized on the in-memory inode once and never changed except via the
> explicit chcon (setxattr?) path. Therefore, client A doesn't have any
> clean way to notify the local kernel that the backend security context
> has changed via a chcon on client B.
Ok, with the upcall framework in Gluster we can now do
cache-invalidation. It is not hooked into the FUSE client yet, but
NFS-Ganesha already uses it through libgfapi. Adding this to the FUSE
client should not be too much work (once FUSE in the kernel has the
support for it).
> I also think an selinux policy update that enables selinux via xattrs
> support for "fuse.glusterfs" filesystems is a requirement to actually
> test any of this stuff. My understanding is that the kernel subtype
> thing is a requirement to distinguish glusterfs from other types of fuse
> filesystems, but the actual policy enablement for such fuse.glusterfs
> fs' is part of the userspace selinux-policy package.
>
> I have old, custom selinux-policy-3.12.1-95.fc21 rpm packages sitting
> around here that you're welcome to, but they might be too old at this
> point. I also might have prototype-level supporting code in glusterfs
> for some of this stuff (e.g., xattr name translation, remote context
> invalidation, etc.), but I'd have to dig around for that...
I think this might be included in the Fedora package already. At least
the package carries a patch that adds something for the fuse.glusterfs
filesystem:
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/policy-rawhide-base.patch#n18117
Many thanks for the details,
Niels
> Brian
>
> > # stap vfs_kern_mount_subtype.stp
> > Beginning probe, press CTRL+C to exit...
> > vfs_kern_mount_subtype with subtype=glusterfs
> > mount_fs with type=fuse, subtype=glusterfs
> > security_sb_kern_mount with type=fuse, subtype=glusterfs
> > selinux_sb_kern_mount with type=fuse, subtype=glusterfs
> > selinux_parse_opts_str with options=seclabel
> >
> >
> > I've attached the systemtap script for reference.
> >
> > Thanks,
> > Niels
>
> > #!/usr/bin/stap
> > #
> > # Script to help with investigation and debugging of the kernel patch posted at
> > # https://bugzilla.redhat.com/1272868
> > #
> > # This systemtap script will only work against a kernel that has the test-patch
> > # applied, otherwise you will get errors about unresolvable functions (most
> > # likely vfs_kern_mount_subtype).
> > #
> >
> > probe begin
> > {
> > printf("Beginning probe, press CTRL+C to exit...\n");
> > }
> >
> > probe kernel.function("vfs_kern_mount_subtype")
> > {
> > printf("vfs_kern_mount_subtype with subtype=%s\n",
> > kernel_string($subtype));
> > }
> >
> > probe kernel.function("mount_fs")
> > {
> > printf("mount_fs with type=%s, subtype=%s\n",
> > kernel_string($type->name), kernel_string($subtype));
> > }
> >
> > probe kernel.function("security_sb_kern_mount"),
> > kernel.function("selinux_sb_kern_mount")
> > {
> > printf("%s with type=%s, subtype=%s\n", probefunc(),
> > kernel_string($sb->s_type->name),
> > kernel_string($sb->s_subtype));
> > }
> >
> > probe kernel.function("selinux_parse_opts_str")
> > {
> > printf("selinux_parse_opts_str with options=%s\n",
> > kernel_string($options));
> > }
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20151203/81739f45/attachment-0001.sig>
More information about the Gluster-devel
mailing list