Yup there is something wrong??? Here I change the label on a random file in /tmp # strace chcon --reference=test afile execve("/usr/bin/chcon", ["chcon", "--reference=test", "afile"], [/* 30 vars */]) = 0 brk(0) = 0xe11000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc7e469000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=107608, ...}) = 0 mmap(NULL, 107608, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcc7e44e000 close(3) = 0 open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0pa o;\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=136440, ...}) = 0 mmap(0x3b6f200000, 2234408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f200000 mprotect(0x3b6f21f000, 2093056, PROT_NONE) = 0 mmap(0x3b6f41e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0x3b6f41e000 mmap(0x3b6f420000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3b6f420000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\33\302\0257\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2071376, ...}) = 0 mmap(0x3715c00000, 3896312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3715c00000 mprotect(0x3715dad000, 2097152, PROT_NONE) = 0 mmap(0x3715fad000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x3715fad000 mmap(0x3715fb3000, 17400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3715fb3000 close(3) = 0 open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\35`o;\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=388152, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc7e44d000 mmap(0x3b6f600000, 2478664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f600000 mprotect(0x3b6f65c000, 2097152, PROT_NONE) = 0 mmap(0x3b6f85c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5c000) = 0x3b6f85c000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0267\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=22440, ...}) = 0 mmap(0x3716000000, 2109736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3716000000 mprotect(0x3716003000, 2093056, PROT_NONE) = 0 mmap(0x3716202000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3716202000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc7e44c000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc7e44a000 arch_prctl(ARCH_SET_FS, 0x7fcc7e44a7c0) = 0 mprotect(0x60d000, 4096, PROT_READ) = 0 mprotect(0x3b6f41e000, 4096, PROT_READ) = 0 mprotect(0x3715fad000, 16384, PROT_READ) = 0 mprotect(0x3b6f85c000, 4096, PROT_READ) = 0 mprotect(0x3716202000, 4096, PROT_READ) = 0 mprotect(0x3715a20000, 4096, PROT_READ) = 0 munmap(0x7fcc7e44e000, 107608) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 brk(0) = 0xe11000 brk(0xe32000) = 0xe32000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=104789808, ...}) = 0 mmap(NULL, 104789808, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcc7805a000 close(3) = 0 getxattr("test", "security.selinux", "unconfined_u:object_r:user_tmp_t:s0", 255) = 36 open("/sys/fs/selinux/mls", O_RDONLY) = 3 read(3, "1", 19) = 1 close(3) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 newfstatat(AT_FDCWD, "afile", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 setxattr("afile", "security.selinux", "unconfined_u:object_r:user_tmp_t:s0", 36, 0) = 0 close(1) = 0 close(2) = 0 exit_group(0) = ? +++ exited with 0 +++ And here I try the same on cephfs filesystem # strace chcon --reference=test afile execve("/usr/bin/chcon", ["chcon", "--reference=test", "afile"], [/* 30 vars */]) = 0 brk(0) = 0x24a4000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913992000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=107608, ...}) = 0 mmap(NULL, 107608, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4913977000 close(3) = 0 open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0pa o;\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=136440, ...}) = 0 mmap(0x3b6f200000, 2234408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f200000 mprotect(0x3b6f21f000, 2093056, PROT_NONE) = 0 mmap(0x3b6f41e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0x3b6f41e000 mmap(0x3b6f420000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3b6f420000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\33\302\0257\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2071376, ...}) = 0 mmap(0x3715c00000, 3896312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3715c00000 mprotect(0x3715dad000, 2097152, PROT_NONE) = 0 mmap(0x3715fad000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x3715fad000 mmap(0x3715fb3000, 17400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3715fb3000 close(3) = 0 open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\35`o;\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=388152, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913976000 mmap(0x3b6f600000, 2478664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f600000 mprotect(0x3b6f65c000, 2097152, PROT_NONE) = 0 mmap(0x3b6f85c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5c000) = 0x3b6f85c000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0267\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=22440, ...}) = 0 mmap(0x3716000000, 2109736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3716000000 mprotect(0x3716003000, 2093056, PROT_NONE) = 0 mmap(0x3716202000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3716202000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913975000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913973000 arch_prctl(ARCH_SET_FS, 0x7f49139737c0) = 0 mprotect(0x60d000, 4096, PROT_READ) = 0 mprotect(0x3b6f41e000, 4096, PROT_READ) = 0 mprotect(0x3715fad000, 16384, PROT_READ) = 0 mprotect(0x3b6f85c000, 4096, PROT_READ) = 0 mprotect(0x3716202000, 4096, PROT_READ) = 0 mprotect(0x3715a20000, 4096, PROT_READ) = 0 munmap(0x7f4913977000, 107608) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 brk(0) = 0x24a4000 brk(0x24c5000) = 0x24c5000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=104789808, ...}) = 0 mmap(NULL, 104789808, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f490d583000 close(3) = 0 getxattr("test", "security.selinux", "system_u:object_r:unlabeled_t:s0", 255) = 33 open("/sys/fs/selinux/mls", O_RDONLY) = 3 read(3, "1", 19) = 1 close(3) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 newfstatat(AT_FDCWD, "afile", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 setxattr("afile", "security.selinux", "system_u:object_r:unlabeled_t:s0", 33, 0) = -1 EOPNOTSUPP (Operation not supported) open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2444, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913991000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2444 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f4913991000, 4096) = 0 open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) write(2, "chcon: ", 7chcon: ) = 7 write(2, "failed to change context of \342\200\230a"..., 81failed to change context of ‘afile’ to ‘system_u:object_r:unlabeled_t:s0’) = 81 open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, ": Operation not supported", 25: Operation not supported) = 25 write(2, "\n", 1 ) = 1 close(1) = 0 close(2) = 0 exit_group(1) = ? +++ exited with 1 +++ Darryl ________________________________________ From: Sage Weil [sage@xxxxxxxxxxx] Sent: Friday, February 22, 2013 10:17 AM To: Gregory Farnum Cc: Bond, Darryl; ceph-users@xxxxxxxxxxxxxx Subject: Re: Cephfs and SELinux On Thu, 21 Feb 2013, Gregory Farnum wrote: > On Thu, Feb 21, 2013 at 3:38 PM, Darryl Bond <dbond@xxxxxxxxxxxxx> wrote: > > Perhaps it was because i had allowed SELinux to write. > > > > I just checked and strangely symlinks get attributes but not files and > > directories. > > -rwxr-xr-x root root ? xwininfo > > -rwxr-xr-x root root ? xz > > lrwxrwxrwx. root root system_u:object_r:unlabeled_t:s0 xzcat -> xz > > lrwxrwxrwx. root root system_u:object_r:unlabeled_t:s0 xzcmp -> xzdiff > > -rwxr-xr-x root root ? xzdec > > -rwxr-xr-x root root ? xzdiff > > lrwxrwxrwx. root root system_u:object_r:unlabeled_t:s0 xzegrep -> xzgrep > > lrwxrwxrwx. root root system_u:object_r:unlabeled_t:s0 xzfgrep -> xzgrep > > -rwxr-xr-x root root ? xzgrep > > -rwxr-xr-x root root ? xzless > > -rwxr-xr-x root root ? xzmore > > -rwxr-xr-x root root ? yelp > > -rwxr-xr-x root root ? yes > > > > What strace would you like? > > 1. The permission denied when trying to write when Enforcing is enabled > > 2. The successful write when Enforcing is disabled > > I gave you the output of ls -lZ after files had been created when > > enforcing had been disabled. > > Ah, I was referring to the first one, so we could see why SELinux was > failing. :) If you sent along the second, I believe the problem is > fixed by those patches I mentioned. They're currently on the master > branch (will be released as v0.58 in ~3 weeks), and could be pretty > easily cherry-picked backwards by anybody who thought them important. > (We don't want to do that in case there are unforeseen consequences, > which there could be given the nature of the change.) > > > > What part of ceph is causing this behaviour? The kernel cephfs > > filesystem or the ceph osd? > > The MDS, actually. Just throwing this out there, in case it wasn't already obvious: it is entirely possible that the kernel client is doing something trivially wrong that is mucking this all up as well. We've never played with SELinux, and I'm not sure if there are any requirements beyond xattr support from the FS. For POSIX ACLs, for instance, there is a bunch of boilerplate code that has to be wired up, even though the fs doesn't actually do anything besides store the xattrs and pass them to the VFS helpers. (Possibly an easy kernel project, if anyone is interested.) sage > -Greg > > > > > > Darryl > > > > > > On 02/22/13 08:39, Gregory Farnum wrote: > >> > >> Darryl, > >> We did notice an issue today in which setting xattrs is disallowed on > >> the root CephFS directory. I (still :) don't see any evidence in the > >> given strace that that was the cause of the problem, but if you wanted > >> to test it out with the newest master branch (or just cherry-pick the > >> relevant commits 9f82ae60fac30391dfa9d17d2fc014bf9e21f387 and > >> 79f09bf33e3f4b6815d854fa0ce30b006b1e3e74 on to whatever you're using, > >> if you'd like a stable release) you could test it. > >> -Greg > >> > >> On Wed, Feb 20, 2013 at 10:00 AM, Gregory Farnum <greg@xxxxxxxxxxx> wrote: > >>> > >>> [ Re-added the list for archival and informational purposes. ] > >>> > >>> I don't see any reference to xattr functions in this strace, and > >>> nothing's returning EOPNOTSUPP ? although there are several ENOENTs on > >>> paths like "/var/run/nscd/socket". I think it's misconfigured somehow, > >>> but I'm afraid I don't know enough about SELinux to help you figure > >>> out what ? I had to google just for the references I made yesterday. > >>> ;) > >>> -Greg > >>> > >>> On Tue, Feb 19, 2013 at 10:11 PM, Darryl Bond <dbond@xxxxxxxxxxxxx> > >>> wrote: > >>>> > >>>> With setenforce 0 > >>>> # ls -lZ afile > >>>> -rw-r--r-- root root ? afile > >>>> > >>>> # strace ls -lZ afile > >>>> execve("/bin/ls", ["ls", "-lZ", "afile"], [/* 25 vars */]) = 0 > >>>> brk(0) = 0x228c000 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851cd0e000 > >>>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > >>>> directory) > >>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 > >>>> fstat(3, {st_mode=S_IFREG|0644, st_size=107205, ...}) = 0 > >>>> mmap(NULL, 107205, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f851ccf3000 > >>>> close(3) = 0 > >>>> open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0pa o;\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=136440, ...}) = 0 > >>>> mmap(0x3b6f200000, 2234408, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f200000 > >>>> mprotect(0x3b6f21f000, 2093056, PROT_NONE) = 0 > >>>> mmap(0x3b6f41e000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0x3b6f41e000 > >>>> mmap(0x3b6f420000, 6184, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3b6f420000 > >>>> close(3) = 0 > >>>> open("/lib64/librt.so.1", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\"\200\0267\0\0\0"..., > >>>> 832) > >>>> = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=47624, ...}) = 0 > >>>> mmap(0x3716800000, 2128984, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3716800000 > >>>> mprotect(0x3716807000, 2093056, PROT_NONE) = 0 > >>>> mmap(0x3716a06000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x3716a06000 > >>>> close(3) = 0 > >>>> open("/lib64/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\25@\0327\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=21392, ...}) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851ccf2000 > >>>> mmap(0x371a400000, 2114080, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x371a400000 > >>>> mprotect(0x371a404000, 2093056, PROT_NONE) = 0 > >>>> mmap(0x371a603000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x371a603000 > >>>> close(3) = 0 > >>>> open("/lib64/libacl.so.1", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\37\30017\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=39192, ...}) = 0 > >>>> mmap(0x3731c00000, 2130560, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3731c00000 > >>>> mprotect(0x3731c07000, 2097152, PROT_NONE) = 0 > >>>> mmap(0x3731e07000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x3731e07000 > >>>> close(3) = 0 > >>>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> > >>>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\33\302\0257\0\0\0"..., > >>>> 832) > >>>> = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=2071376, ...}) = 0 > >>>> mmap(0x3715c00000, 3896312, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3715c00000 > >>>> mprotect(0x3715dad000, 2097152, PROT_NONE) = 0 > >>>> mmap(0x3715fad000, 24576, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x3715fad000 > >>>> mmap(0x3715fb3000, 17400, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3715fb3000 > >>>> close(3) = 0 > >>>> open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\35`o;\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=388152, ...}) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851ccf1000 > >>>> mmap(0x3b6f600000, 2478664, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f600000 > >>>> mprotect(0x3b6f65c000, 2097152, PROT_NONE) = 0 > >>>> mmap(0x3b6f85c000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5c000) = 0x3b6f85c000 > >>>> close(3) = 0 > >>>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0267\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=22440, ...}) = 0 > >>>> mmap(0x3716000000, 2109736, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3716000000 > >>>> mprotect(0x3716003000, 2093056, PROT_NONE) = 0 > >>>> mmap(0x3716202000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3716202000 > >>>> close(3) = 0 > >>>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360j@\0267\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=144552, ...}) = 0 > >>>> mmap(0x3716400000, 2208808, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3716400000 > >>>> mprotect(0x3716416000, 2097152, PROT_NONE) = 0 > >>>> mmap(0x3716616000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x3716616000 > >>>> mmap(0x3716618000, 13352, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3716618000 > >>>> close(3) = 0 > >>>> open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\23\300,7\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=22136, ...}) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851ccf0000 > >>>> mmap(0x372cc00000, 2113880, PROT_READ|PROT_EXEC, > >>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x372cc00000 > >>>> mprotect(0x372cc04000, 2093056, PROT_NONE) = 0 > >>>> mmap(0x372ce03000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x372ce03000 > >>>> close(3) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851ccef000 > >>>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851cced000 > >>>> arch_prctl(ARCH_SET_FS, 0x7f851cced7c0) = 0 > >>>> mprotect(0x61a000, 4096, PROT_READ) = 0 > >>>> mprotect(0x3b6f41e000, 4096, PROT_READ) = 0 > >>>> mprotect(0x3716a06000, 4096, PROT_READ) = 0 > >>>> mprotect(0x371a603000, 4096, PROT_READ) = 0 > >>>> mprotect(0x3731e07000, 4096, PROT_READ) = 0 > >>>> mprotect(0x3715fad000, 16384, PROT_READ) = 0 > >>>> mprotect(0x3b6f85c000, 4096, PROT_READ) = 0 > >>>> mprotect(0x3716202000, 4096, PROT_READ) = 0 > >>>> mprotect(0x3715a20000, 4096, PROT_READ) = 0 > >>>> mprotect(0x3716616000, 4096, PROT_READ) = 0 > >>>> mprotect(0x372ce03000, 4096, PROT_READ) = 0 > >>>> munmap(0x7f851ccf3000, 107205) = 0 > >>>> set_tid_address(0x7f851cceda90) = 18454 > >>>> set_robust_list(0x7f851ccedaa0, 24) = 0 > >>>> rt_sigaction(SIGRTMIN, {0x3716406650, [], SA_RESTORER|SA_SIGINFO, > >>>> 0x371640f000}, NULL, 8) = 0 > >>>> rt_sigaction(SIGRT_1, {0x37164066d0, [], > >>>> SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x371640f000}, NULL, 8) = 0 > >>>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 > >>>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) > >>>> = 0 > >>>> statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, > >>>> f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, > >>>> f_namelen=255, f_frsize=4096}) = 0 > >>>> statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, > >>>> f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, > >>>> f_namelen=255, f_frsize=4096}) = 0 > >>>> stat("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 > >>>> brk(0) = 0x228c000 > >>>> brk(0x22ad000) = 0x22ad000 > >>>> open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 > >>>> fstat(3, {st_mode=S_IFREG|0644, st_size=104789808, ...}) = 0 > >>>> mmap(NULL, 104789808, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f85168fd000 > >>>> close(3) = 0 > >>>> ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, > >>>> {B38400 opost isig icanon echo ...}) = 0 > >>>> ioctl(1, TIOCGWINSZ, {ws_row=64, ws_col=227, ws_xpixel=0, ws_ypixel=0}) > >>>> = 0 > >>>> lstat("afile", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 > >>>> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > >>>> connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = > >>>> -1 ENOENT (No such file or directory) > >>>> close(3) = 0 > >>>> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > >>>> connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = > >>>> -1 ENOENT (No such file or directory) > >>>> close(3) = 0 > >>>> open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 > >>>> fstat(3, {st_mode=S_IFREG|0644, st_size=1717, ...}) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851cd0d000 > >>>> read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1717 > >>>> read(3, "", 4096) = 0 > >>>> close(3) = 0 > >>>> munmap(0x7f851cd0d000, 4096) = 0 > >>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 > >>>> fstat(3, {st_mode=S_IFREG|0644, st_size=107205, ...}) = 0 > >>>> mmap(NULL, 107205, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f851ccf3000 > >>>> close(3) = 0 > >>>> open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 > >>>> read(3, > >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340!\0\0\0\0\0\0"..., > >>>> 832) = 832 > >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=62416, ...}) = 0 > >>>> mmap(NULL, 2148456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, > >>>> 0) = 0x7f85166f0000 > >>>> mprotect(0x7f85166fc000, 2093056, PROT_NONE) = 0 > >>>> mmap(0x7f85168fb000, 8192, PROT_READ|PROT_WRITE, > >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f85168fb000 > >>>> close(3) = 0 > >>>> mprotect(0x7f85168fb000, 4096, PROT_READ) = 0 > >>>> munmap(0x7f851ccf3000, 107205) = 0 > >>>> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 > >>>> fstat(3, {st_mode=S_IFREG|0644, st_size=2091, ...}) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851cd0d000 > >>>> read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2091 > >>>> close(3) = 0 > >>>> munmap(0x7f851cd0d000, 4096) = 0 > >>>> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > >>>> connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = > >>>> -1 ENOENT (No such file or directory) > >>>> close(3) = 0 > >>>> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > >>>> connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = > >>>> -1 ENOENT (No such file or directory) > >>>> close(3) = 0 > >>>> open("/etc/group", O_RDONLY|O_CLOEXEC) = 3 > >>>> fstat(3, {st_mode=S_IFREG|0644, st_size=796, ...}) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851cd0d000 > >>>> read(3, "root:x:0:\nbin:x:1:\ndaemon:x:2:\ns"..., 4096) = 796 > >>>> close(3) = 0 > >>>> munmap(0x7f851cd0d000, 4096) = 0 > >>>> fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>>> = 0x7f851cd0d000 > >>>> write(1, "-rw-r--r-- root root ? "..., 60-rw-r--r-- root root > >>>> ? afile > >>>> ) = 60 > >>>> close(1) = 0 > >>>> munmap(0x7f851cd0d000, 4096) = 0 > >>>> close(2) = 0 > >>>> exit_group(0) = ? > >>>> +++ exited with 0 +++ > >>>> > >>>> > >>>> On 02/20/13 11:36, Gregory Farnum wrote: > >>>>> > >>>>> Hmm, SELinux appears to use the "security.selinux" xattr namespace, > >>>>> and "security.*" is allowed through Ceph's filters. Can you check and > >>>>> make sure that it's in fact using the xattr labeling scheme and not > >>>>> something else? Maybe strace the process and check exactly which > >>>>> syscall fails in what way. > >>>>> -Greg > >>>>> > >>>>> On Mon, Feb 18, 2013 at 4:19 PM, Darryl Bond <dbond@xxxxxxxxxxxxx> > >>>>> wrote: > >>>>>> > >>>>>> I believe that it was the kernel client. I had installed the rpms from > >>>>>> the Ceph download (0.56.3) > >>>>>> mount -t cephfs ... > >>>>>> > >>>>>> I was using 3.7.7 yesterday. > >>>>>> > >>>>>> Darryl > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 02/19/13 10:12, Gregory Farnum wrote: > >>>>>>> > >>>>>>> This is using the kernel client? What kernel version does Fedora 18 > >>>>>>> use? > >>>>>>> > >>>>>>> I would expect this to work fine as CephFS enables xattrs by default, > >>>>>>> but > >>>>>>> perhaps we've made a mistake in filtering somewhere? > >>>>>>> -Greg > >>>>>>> > >>>>>>> > >>>>>>> On Sunday, February 17, 2013 at 3:56 PM, Darryl Bond wrote: > >>>>>>> > >>>>>>>> Hello, > >>>>>>>> I have mounted a cephfs filesystem on Fedora18 client. I am using > >>>>>>>> SELinux and get permission denied unless I setenforce 0. > >>>>>>>> The filesystem cannot be labelled to allow it to work with SELinux. > >>>>>>>> # chcon --reference=/var /mnt > >>>>>>>> chcon: failed to change context of /mnt to > >>>>>>>> system_u:object_r:var_t:s0: > >>>>>>>> Operation not supported > >>>>>>>> > >>>>>>>> > >>>>>>>> I can't see any options to enable extended attributes in MDS or > >>>>>>>> mount.ceph > >>>>>>>> > >>>>>>>> Regards > >>>>>>>> Darryl > >>>>>>> > >>>>>>> > >>>>>> The contents of this electronic message and any attachments are > >>>>>> intended > >>>>>> only for the addressee and may contain legally privileged, personal, > >>>>>> sensitive or confidential information. If you are not the intended > >>>>>> addressee, and have received this email, any transmission, > >>>>>> distribution, > >>>>>> downloading, printing or photocopying of the contents of this message > >>>>>> or > >>>>>> attachments is strictly prohibited. Any legal privilege or > >>>>>> confidentiality > >>>>>> attached to this message and attachments is not waived, lost or > >>>>>> destroyed > >>>>>> by > >>>>>> reason of delivery to any person other than intended addressee. If you > >>>>>> have > >>>>>> received this message and are not the intended addressee you should > >>>>>> notify > >>>>>> the sender by return email and destroy all copies of the message and > >>>>>> any > >>>>>> attachments. Unless expressly attributed, the views expressed in this > >>>>>> email > >>>>>> do not necessarily represent the views of the company. > >>>> > >>>> > >>>> > >>>> The contents of this electronic message and any attachments are intended > >>>> only for the addressee and may contain legally privileged, personal, > >>>> sensitive or confidential information. If you are not the intended > >>>> addressee, and have received this email, any transmission, distribution, > >>>> downloading, printing or photocopying of the contents of this message or > >>>> attachments is strictly prohibited. Any legal privilege or > >>>> confidentiality > >>>> attached to this message and attachments is not waived, lost or > >>>> destroyed by > >>>> reason of delivery to any person other than intended addressee. If you > >>>> have > >>>> received this message and are not the intended addressee you should > >>>> notify > >>>> the sender by return email and destroy all copies of the message and any > >>>> attachments. Unless expressly attributed, the views expressed in this > >>>> email > >>>> do not necessarily represent the views of the company. > > > > > > > > The contents of this electronic message and any attachments are intended > > only for the addressee and may contain legally privileged, personal, > > sensitive or confidential information. If you are not the intended > > addressee, and have received this email, any transmission, distribution, > > downloading, printing or photocopying of the contents of this message or > > attachments is strictly prohibited. Any legal privilege or confidentiality > > attached to this message and attachments is not waived, lost or destroyed by > > reason of delivery to any person other than intended addressee. If you have > > received this message and are not the intended addressee you should notify > > the sender by return email and destroy all copies of the message and any > > attachments. Unless expressly attributed, the views expressed in this email > > do not necessarily represent the views of the company. > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > The contents of this electronic message and any attachments are intended only for the addressee and may contain legally privileged, personal, sensitive or confidential information. If you are not the intended addressee, and have received this email, any transmission, distribution, downloading, printing or photocopying of the contents of this message or attachments is strictly prohibited. Any legal privilege or confidentiality attached to this message and attachments is not waived, lost or destroyed by reason of delivery to any person other than intended addressee. If you have received this message and are not the intended addressee you should notify the sender by return email and destroy all copies of the message and any attachments. Unless expressly attributed, the views expressed in this email do not necessarily represent the views of the company. _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com