Am 19.02.2018 um 17:22 schrieb Daniel Gryniewicz:
> To my knowledge, no one has done any work on ganesha + ceph and selinux. Fedora (and RHEL) includes config in it's selinux package for ganesha + gluster, but I'm sure there's missing bits for ceph.
Thanks!
I was asking here since from the latest talks on Ceph, I would expect nfs-ganesha to become a major "supported feature" potentially starting even from mimic.
For anybody who is following / curious, I had to extend my manual SELinux module to fix kerberos ticket cache issues.
I'm now using the following successfully:
module nfs_ganesha-fix-perms 1.0;
require {
type proc_net_t;
type cyphesis_port_t;
type krb5_host_rcache_t;
type ganesha_t;
class capability setuid;
class capability setgid;
class capability dac_override;
class tcp_socket name_connect;
class file { getattr open read write };
}
#============= ganesha_t ==============
allow ganesha_t cyphesis_port_t:tcp_socket name_connect;
allow ganesha_t proc_net_t:file { getattr open read };
allow ganesha_t self:capability dac_override;
allow ganesha_t self:capability setuid;
allow ganesha_t self:capability setgid;
allow ganesha_t krb5_host_rcache_t:file write;
Cheers,
Oliver
>
> Daniel
>
> On 02/17/2018 03:15 PM, Oliver Freyermuth wrote:
>> Hi together,
>>
>> many thanks for the RPMs provided at:
>> http://download.ceph.com/nfs-ganesha/
>> They are very much appreciated!
>>
>>
>> Since the statement was that they will also be maintained in the future, and NFS Ganesha seems an important project for the future of Ceph,
>> let me do the first "packaging" bug report.
>>
>> It seems that the current packages do not play so well with SELinux. I'm currently using an SELinux module with the following allows, found by
>> iterative use of audit2allow (full ".te" module added at the end of the mail):
>>
>> allow ganesha_t cyphesis_port_t:tcp_socket name_connect;
>> allow ganesha_t proc_net_t:file { getattr open read };
>> allow ganesha_t self:capability dac_override;
>> allow ganesha_t self:capability setuid;
>> allow ganesha_t self:capability setgid;
>>
>> "cyphesis_port_t" is probably needed since its range (tcp: 6767, 6769, 6780-6799) overlaps with the default ports
>> recommended for use by OSDs and nfs-ganesha uses libcephfs to talk to them, the other caps appear to be needed by nfs-ganesha itself.
>>
>> With these in place, it seems my setup is working well. Without the "setgid" cap, for example, nfs-ganesha just segfaults after the permission denied failure.
>> Of course, it would be best if they were installed by the package (potentially, more restrictive allows are possible with some care).
>>
>>
>> Please include me in replies, I am not subscribed to the list.
>>
>> Cheers and all the best,
>> Oliver
>>
>> ----------------------------------------
>>
>> module nfs_ganesha-fix-perms 1.0;
>>
>> require {
>> type proc_net_t;
>> type cyphesis_port_t;
>> type ganesha_t;
>> class capability setuid;
>> class capability setgid;
>> class capability dac_override;
>> class tcp_socket name_connect;
>> class file { getattr open read };
>> }
>>
>> #============= ganesha_t ==============
>> allow ganesha_t cyphesis_port_t:tcp_socket name_connect;
>> allow ganesha_t proc_net_t:file { getattr open read };
>> allow ganesha_t self:capability dac_override;
>> allow ganesha_t self:capability setuid;
>> allow ganesha_t self:capability setgid;
>>
>>
>>
>>
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users@xxxxxxxxxxxxxx
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
