[Gluster-users] selinux context

Mon Nov 30 05:45:54 UTC 2015

Hi Ryan,
I am looking into this issue. As Niels said, currently it is not possible to set SElinux context over FUSE mount. The only way to tackle this problem as of now is to set SElinux mode to Permissive as you have mentioned. Hopefully, we will support this soon.

Thank you :-)

--
Regards,
Manikandan Selvaganesh.

----- Original Message -----
From: "Niels de Vos" <ndevos at redhat.com>
To: "Ryan Eschinger" <ryanesc at gmail.com>
Cc: gluster-users at gluster.org, "Manikandan Selvaganesh" <mselvaga at redhat.com>
Sent: Friday, November 27, 2015 4:35:18 PM
Subject: Re: [Gluster-users] selinux context

On Wed, Nov 25, 2015 at 03:22:16PM -0500, Ryan Eschinger wrote:
> We are trying to use GlusterFS storage for volumes mounted in Docker
> containers on Centos 7 with SELinux enforcing. By default, I get
> `Permission denied` errors when trying to write to a mounted volume:
> 
> ```
> sudo docker run -it --rm -v /mnt/container-volumes/:/log/:rw ubuntu bash -c
> 'echo date >> /log/volume-test.log'
> bash: /log/volume-test.log: Permission denied
> ```
> 
> I thought we might be able to address this by changing the SELinux context
> on the GlusterFS directory (see
> http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/),
> but we get the following errors:
> 
> ```
> $ sudo chcon -Rt svirt_sandbox_file_t /mnt/container-volumes/
> chcon: failed to change context of ‘internal_op’ to
> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
> chcon: failed to change context of ‘.trashcan’ to
> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
> chcon: failed to change context of ‘/mnt/container-volumes/’ to
> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
> ```
> 
> Note that the `:z` Docker volume option also generates the same error:
> 
> ```
> sudo docker run -it --rm -v /mnt/container-volumes/:/log/:z ubuntu bash -c
> 'echo date >> /log/volume-test.log'
> Error response from daemon: operation not supported
> ```
> 
> Next, I tried setting the context on the GlusterFS mount:
> 
> ```
> $ sudo mount -t glusterfs fs.glusterfs.service.consul:/container-volumes
> /mnt/container-volumes -o
> context="system_u:object_r:svirt_sandbox_file_t:s0"
> Invalid option: context
> ```
> 
> This looks similar to the question asked in
> http://www.gluster.org/pipermail/gluster-users.old/2015-January/020014.html
> but it was never answered.
> 
> I looked around in the docs and on the mailing list archives but couldn't
> find a way to solve this. Does anyone know how we can configure GlusterFS
> so that we can change the SELinux context? Is this supported? Am I missing
> any steps? Is there any other way of tackling this problem (short of
> setting SELinux to permissive mode)?
> 
> I'd appreciate any help! Let me know if there is any other information I
> could provide.
> 
> CentOS Linux release 7.1.1503
> glusterfs 3.7.6
> 
> (For the full context, you can see this issue:
> https://github.com/CiscoCloud/microservices-infrastructure/issues/867#issuecomment-159689603
> )

Unfortunately it is not possible to set selinux context over FUSE. Not
all FUSE filesystems (can) support SElinux, and therefor the Linux
kernel does not enable SElinux support for any FUSE filesystem. We are
tracking this kernel issue/fix through bug 1272868 [1].

In addition to that, the SElinux extended attributes are passed on
directly as-is. This is not correct, and needs fixing too. The brick
processes should only be allowed to access a context like
'gluster_content_t', and the actual context that Gluster clients see
should be stored in a 'trusted.gluster.selinux' extended attribute
instead. Manikandan (on CC) was looking into this a couple of weeks ago,
and may have an update on this.

So, at the moment SElinux contexts on Gluster mount points is not
possible yet. This is something we want to enable in the (hopefully)
near future.

HTH,
Niels

1. https://bugzilla.redhat.com/show_bug.cgi?id=1272868