[Gluster-users] selinux status on RHEL/Centos 7
Niels de Vos
ndevos at redhat.com
Thu Jun 30 13:41:06 UTC 2016
On Wed, Jun 29, 2016 at 01:32:24PM -0400, Ted Miller wrote:
> What is the status of selinux tagging on Centos 7? I have read enough to
> know that this is a chain-like process requiring changes in the client, the
> server, FUSE, and the kernel to make it all work. What is the current
> status of this process on Centos 7?
>
> My use-case: I need to allow Apache to access files that are stored on
> gluster and mounted using FUSE. What are my options (besides shutting down
> selinux for the Apache process)?
It is not possible yet to change the SELinux labels over FUSE. There are
some changes needed in Gluster to really support that, in the FUSE
kernel module and also in the SELinux part of the kernel. Possibly even
some selinux-policy changes...
Until then, you should be able to mount a Gluster volume with the
"context" option. This might work for you:
# mount -t glusterfs \
-o context="unconfined_u:object_r:httpd_sys_content_t:s0" \
storage.example.com:/website /var/www/html
Or, you can allow Apache to access FUSE filesystems with a boolean:
# sebool httpd_use_fusefs on
The main bug that we use for tracking progress on different fronts is
currently https://bugzilla.redhat.com/show_bug.cgi?id=1318100 . Maybe
some parts of this can be made available in GlusterfS 3.9 (September),
but it is likely that additional components (like kernel) need more
time.
HTH,
Niels
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://www.gluster.org/pipermail/gluster-users/attachments/20160630/0d95b02a/attachment.sig>
More information about the Gluster-users
mailing list