[Gluster-devel] Quick question about the latest glusterfs and client side selinux support

Desai, Janak Janak.Desai at gtri.gatech.edu
Fri Jun 21 12:04:58 UTC 2019

Thank you so much Jiffin for the quick response!

From: Jiffin Thottan <jthottan at redhat.com>
Sent: Thursday, June 20, 2019 11:58:52 PM
To: Desai, Janak
Cc: Gluster Devel; nfs-ganesha-devel
Subject: Re: Quick question about the latest glusterfs and client side selinux support

Hi Janak,

Currently, it is supported in glusterfs(from 2.8 onwards) and cephfs(already there in 2.7) for nfs-ganesha.


----- Original Message -----
From: "Janak Desai" <Janak.Desai at gtri.gatech.edu>
To: "Jiffin Tony Thottan" <jthottan at redhat.com>
Sent: Thursday, June 20, 2019 9:29:09 PM
Subject: Re: Quick question about the latest glusterfs and client side selinux support

Hi Jiffin,

I came across your presentation “NFS-Ganesha Weather Report” that you gave at the FOSDEM’19 in early Feb this year. In that you mentioned that ongoing developments in v2.8 include “labelled NFS” support. I see that v2.8 is now out.  Do you know if labelled NFS support made it in?  If it did, is it only supported in CEPHFS FSAL or any other FSALs also include the support for it? I took a cursory look at the release documents and didn’t see Labelled NFS in it, so thought I would bug you directly.



From: Jiffin Tony Thottan <jthottan at redhat.com>
Date: Tuesday, August 28, 2018 at 12:50 AM
To: Janak Desai <Janak.Desai at gtri.gatech.edu>, "ndevos at redhat.com" <ndevos at redhat.com>, "mselvaga at redhat.com" <mselvaga at redhat.com>
Cc: "paul at paul-moore.com" <paul at paul-moore.com>
Subject: Re: Quick question about the latest glusterfs and client side selinux support

Hi Janak,

Thanks for the interest. Basic selinux xlator is present at gluster server stack. It stores selinux context at the backend as a xattr. When we developed that xlator,

at that point they were no client to test the functionality. Don't know whether required change  in fuse got merged or not. As you mentioned ,here first we need to figure out

whether issue is related to server. Can collect the packet trace using tcpdump from client and sent with mail during setting/getting selinux context.



On Tuesday 28 August 2018 04:14 AM, Desai, Janak wrote:

Hi Niels, Manikandan, Jiffin,

I work for Georgia Tech Research Institute’s CIPHER Lab and am investigating suitability of glusterfs for a couple of large upcoming projects. My ‘google research’ is yielding confusing and inconclusive results, so I thought I would try and reach out to some of the core developers to get some clarity.

We use SELinux extensively in our software solution. I am trying to find out if, with the latest version 4.1 of glusterfs running on the latest version of rhel, I should be able to associate and enforce selinux contexts from glusterfs clients. I see in the 3.11 release notes that the selinux feature was implemented but then I also see references to kernel work that is not done yet. I also could not find any documentation/examples on how to add/integrate this selinux translator to setup and enforce selinux labels from the client side. In my simple test setup, which I mounted using the “selinux” option (which gluster does seem to recognize), I am getting the “operation not supported” error. I guess either I am not pulling in the selinux translator or I am running up against other missing functionality in the kernel. I would really appreciate if you could clear this up for me. If I am not configuring my mount correctly, I would appreciate if you could point me to a document or an example. Our other option is lustre filesystem since it does have a working client side association and enforcement of selinux contexts. However, lustre appears to be lot difficult to setup and maintain and I would rather use glusterfs. We need a distributed (or parallel) filesystem that can work with Hadoop. If glusterfs doesn’t pan out then I will look at labelled nfs 4.2 that is now available in rhel7.  However, my google research shows much more Hadoop affinity for glusterfs than nfs v4.

I am also copying Paul Moore, with whom I collaborated a few years ago as part of the team that took Linux through its common criteria evaluation, and who I haven’t bugged lately ☺, to see if he can shed some light any missing kernel dependencies. I am currently testing with rhel7.5, but would be willing to try upstream kernel if have to get this proof of concept going. I know the underlying problem in the kernel is supporting extended attrs on FUSE file systems, but was wondering (and hoping) that at least setup/enforcement of selinux contexts from client side for glusterfs is possible.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-devel/attachments/20190621/74142821/attachment-0001.html>

More information about the Gluster-devel mailing list