Hi together, many thanks for the RPMs provided at: http://download.ceph.com/nfs-ganesha/ They are very much appreciated! Since the statement was that they will also be maintained in the future, and NFS Ganesha seems an important project for the future of Ceph, let me do the first "packaging" bug report. It seems that the current packages do not play so well with SELinux. I'm currently using an SELinux module with the following allows, found by iterative use of audit2allow (full ".te" module added at the end of the mail): allow ganesha_t cyphesis_port_t:tcp_socket name_connect; allow ganesha_t proc_net_t:file { getattr open read }; allow ganesha_t self:capability dac_override; allow ganesha_t self:capability setuid; allow ganesha_t self:capability setgid; "cyphesis_port_t" is probably needed since its range (tcp: 6767, 6769, 6780-6799) overlaps with the default ports recommended for use by OSDs and nfs-ganesha uses libcephfs to talk to them, the other caps appear to be needed by nfs-ganesha itself. With these in place, it seems my setup is working well. Without the "setgid" cap, for example, nfs-ganesha just segfaults after the permission denied failure. Of course, it would be best if they were installed by the package (potentially, more restrictive allows are possible with some care). Please include me in replies, I am not subscribed to the list. Cheers and all the best, Oliver ---------------------------------------- module nfs_ganesha-fix-perms 1.0; require { type proc_net_t; type cyphesis_port_t; type ganesha_t; class capability setuid; class capability setgid; class capability dac_override; class tcp_socket name_connect; class file { getattr open read }; } #============= ganesha_t ============== allow ganesha_t cyphesis_port_t:tcp_socket name_connect; allow ganesha_t proc_net_t:file { getattr open read }; allow ganesha_t self:capability dac_override; allow ganesha_t self:capability setuid; allow ganesha_t self:capability setgid;
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com