Re: Cephfs fsal + nfs-ganesha + el7/centos7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

To my knowledge, no one has done any work on ganesha + ceph and selinux. Fedora (and RHEL) includes config in it's selinux package for ganesha + gluster, but I'm sure there's missing bits for ceph. 

Daniel

On 02/17/2018 03:15 PM, Oliver Freyermuth wrote:

Hi together,

many thanks for the RPMs provided at:
   http://download.ceph.com/nfs-ganesha/
They are very much appreciated!


Since the statement was that they will also be maintained in the future, and NFS Ganesha seems an important project for the future of Ceph,
let me do the first "packaging" bug report.

It seems that the current packages do not play so well with SELinux. I'm currently using an SELinux module with the following allows, found by
iterative use of audit2allow (full ".te" module added at the end of the mail):

allow ganesha_t cyphesis_port_t:tcp_socket name_connect;
allow ganesha_t proc_net_t:file { getattr open read };
allow ganesha_t self:capability dac_override;
allow ganesha_t self:capability setuid;
allow ganesha_t self:capability setgid;

"cyphesis_port_t" is probably needed since its range (tcp: 6767, 6769, 6780-6799) overlaps with the default ports
recommended for use by OSDs and nfs-ganesha uses libcephfs to talk to them, the other caps appear to be needed by nfs-ganesha itself.

With these in place, it seems my setup is working well. Without the "setgid" cap, for example, nfs-ganesha just segfaults after the permission denied failure.
Of course, it would be best if they were installed by the package (potentially, more restrictive allows are possible with some care).


Please include me in replies, I am not subscribed to the list.

Cheers and all the best,
	Oliver

----------------------------------------

module nfs_ganesha-fix-perms 1.0;

require {
         type proc_net_t;
         type cyphesis_port_t;
         type ganesha_t;
         class capability setuid;
         class capability setgid;
         class capability dac_override;
         class tcp_socket name_connect;
         class file { getattr open read };
}

#============= ganesha_t ==============
allow ganesha_t cyphesis_port_t:tcp_socket name_connect;
allow ganesha_t proc_net_t:file { getattr open read };
allow ganesha_t self:capability dac_override;
allow ganesha_t self:capability setuid;
allow ganesha_t self:capability setgid;




_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux