Re: Cephfs and SELinux

"Bond, Darryl" <dbond@xxxxxxxxxxxxx> · Sat, 23 Feb 2013 19:35:03 +1000

Sage,
Perhaps, but with selinux in permissive mode it still emits 'Operation not supported'
First is enforcing, second is permissive.

# strace setfattr -n security.selinux -v 'system_u:objct_r:unlabeled_t:s0' afile
execve("/usr/bin/setfattr", ["setfattr", "-n", "security.selinux", "-v", "system_u:objct_r:unlabeled_t:s0", "afile"], [/* 30 vars */]) = 0
brk(0)                                  = 0x1bb7000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8626f7000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=107608, ...}) = 0
mmap(NULL, 107608, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe8626dc000
close(3)                                = 0
open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\23\300,7\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22136, ...}) = 0
mmap(0x372cc00000, 2113880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x372cc00000
mprotect(0x372cc04000, 2093056, PROT_NONE) = 0
mmap(0x372ce03000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x372ce03000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\33\302\0257\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2071376, ...}) = 0
mmap(0x3715c00000, 3896312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3715c00000
mprotect(0x3715dad000, 2097152, PROT_NONE) = 0
mmap(0x3715fad000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x3715fad000
mmap(0x3715fb3000, 17400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3715fb3000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8626db000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8626d9000
arch_prctl(ARCH_SET_FS, 0x7fe8626d9740) = 0
mprotect(0x602000, 4096, PROT_READ)     = 0
mprotect(0x372ce03000, 4096, PROT_READ) = 0
mprotect(0x3715fad000, 16384, PROT_READ) = 0
mprotect(0x3715a20000, 4096, PROT_READ) = 0
munmap(0x7fe8626dc000, 107608)          = 0
brk(0)                                  = 0x1bb7000
brk(0x1bd8000)                          = 0x1bd8000
brk(0)                                  = 0x1bd8000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=104789808, ...}) = 0
mmap(NULL, 104789808, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe85c2e9000
close(3)                                = 0
setxattr("afile", "security.selinux", "system_u:objct_r:unlabeled_t:s0", 31, 0) = -1 EOPNOTSUPP (Operation not supported)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2444, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8626f6000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2444
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7fe8626f6000, 4096)            = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "setfattr: afile: Operation not s"..., 41setfattr: afile: Operation not supported
) = 41
exit_group(1)                           = ?
+++ exited with 1 +++

# setenforce 0
strace setfattr -n security.selinux -v 'system_u:objct_r:unlabeled_t:s0' afile
execve("/usr/bin/setfattr", ["setfattr", "-n", "security.selinux", "-v", "system_u:objct_r:unlabeled_t:s0", "afile"], [/* 30 vars */]) = 0
brk(0)                                  = 0x13d0000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f067cb000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=107608, ...}) = 0
mmap(NULL, 107608, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9f067b0000
close(3)                                = 0
open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\23\300,7\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22136, ...}) = 0
mmap(0x372cc00000, 2113880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x372cc00000
mprotect(0x372cc04000, 2093056, PROT_NONE) = 0
mmap(0x372ce03000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x372ce03000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\33\302\0257\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2071376, ...}) = 0
mmap(0x3715c00000, 3896312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3715c00000
mprotect(0x3715dad000, 2097152, PROT_NONE) = 0
mmap(0x3715fad000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x3715fad000
mmap(0x3715fb3000, 17400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3715fb3000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f067af000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f067ad000
arch_prctl(ARCH_SET_FS, 0x7f9f067ad740) = 0
mprotect(0x602000, 4096, PROT_READ)     = 0
mprotect(0x372ce03000, 4096, PROT_READ) = 0
mprotect(0x3715fad000, 16384, PROT_READ) = 0
mprotect(0x3715a20000, 4096, PROT_READ) = 0
munmap(0x7f9f067b0000, 107608)          = 0
brk(0)                                  = 0x13d0000
brk(0x13f1000)                          = 0x13f1000
brk(0)                                  = 0x13f1000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=104789808, ...}) = 0
mmap(NULL, 104789808, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9f003bd000
close(3)                                = 0
setxattr("afile", "security.selinux", "system_u:objct_r:unlabeled_t:s0", 31, 0) = -1 EOPNOTSUPP (Operation not supported)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2444, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f067ca000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2444
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f9f067ca000, 4096)            = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "setfattr: afile: Operation not s"..., 41setfattr: afile: Operation not supported
) = 41
exit_group(1)                           = ?
+++ exited with 1 +++

________________________________________
From: Sage Weil [sage@xxxxxxxxxxx]
Sent: Saturday, February 23, 2013 8:34 AM
To: Gregory Farnum
Cc: Bond, Darryl; ceph-users@xxxxxxxxxxxxxx
Subject: Re:  Cephfs and SELinux

> On Fri, Feb 22, 2013 at 2:14 AM, Bond, Darryl <dbond@xxxxxxxxxxxxx> wrote:
> > setxattr("afile", "security.selinux", "system_u:object_r:unlabeled_t:s0", 33, 0) = -1 EOPNOTSUPP (Operation not supported)

This setxattr works for me, but I don't have SELinux enabled or compiled
in.. which makes me think it's possible SELinux is responsible for that
error message.

root@uml:~/mnt# setfattr -n security.selinux -v 'system_u:objct_r:unlabeled_t:s0' bar
root@uml:~/mnt# getfattr -d bar -m -
# file: bar
ceph.file.layout="chunk_bytes=4194304\012stripe_count=1\012object_size=4194304\012"
ceph.layout="chunk_bytes=4194304\012stripe_count=1\012object_size=4194304\012"
security.selinux="system_u:objct_r:unlabeled_t:s0"

sage

The contents of this electronic message and any attachments are intended only for the addressee and may contain legally privileged, personal, sensitive or confidential information. If you are not the intended addressee, and have received this email, any transmission, distribution, downloading, printing or photocopying of the contents of this message or attachments is strictly prohibited. Any legal privilege or confidentiality attached to this message and attachments is not waived, lost or destroyed by reason of delivery to any person other than intended addressee. If you have received this message and are not the intended addressee you should notify the sender by return email and destroy all copies of the message and any attachments. Unless expressly attributed, the views expressed in this email do not necessarily represent the views of the company.
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com