Hi, At the moment it is not possible to set an SElinux context over a FUSE mount. This is because FUSE (in the kernel) does not support SElinux. I'll try to explain what we need to accomplish to get this working. 1. make it possible for SElinux to check sub-filesystems Currently SElinux only can check if a filesystem supports SElinux, based on the base filesystem. By default FUSE does not support SElinux, so it is not possible for sub-filesystems to support it either. When checking /proc/mounts a Gluster mount identifies itself with "fuse.glusterfs", which is <mainfs>.<subfs>. An experimental patch for the kernel has been attached to https://bugzilla.redhat.com/1272868 2. inform FUSE that the glusterfs sub-filesystem supports SElinux Mount options are passed on to the FUSE kernel module when mounting takes place. Some options are user-space process specific and can get filtered out, whereas others are passed to FUSE. We probably should pass the "selinux" mount option on to the kernel (if not done already). This includes making sure that other SElinux related mount options are valid and applied (check /sbin/mount.glusterfs script?). 3. secured brick processes, storage servers in enforcing mode Brick processes may only read/write contents in the brick directories that have SElinux type glusterd_brick_t. This means that when a client sets/reads a security.selinux extended attribute over a mountpoint, the brick process needs to convert the request to a trusted.gluster.selinux xattr. The security.selinux xattr on the brick is used by the kernel on the storage server to prevent unauthorized access to the contents in the brick directories. A conversion security.selinux<->trusted.gluster.selinux could be done in the Posix xlator, or in a new selinux one. Related to this last point, add-brick (and remove-brick?) would need to take care to set the right contexts of the brick directories. A patch that adds helper scripts has been posted quite a while back already: http://review.gluster.org/6630 4. do we need to add libgfapi functions? Not sure about this point yet. Maybe Samba, NFS-Ganesha (for labelled NFS) or QEMU would like to be able to set specific SElinux contexts. It would probably be cleaner to do this through an API call and not have the applications set the security.selinux xattr itself. Comments on this are much appreciated. Let me know if Manikandan and I have missed something and we'll make sure to add it. Once we have received a few replies, we will also post a description of how it all hangs together to the glusterfs-specs repository [1]. Thanks, Manikandan & Niels 1. https://github.com/gluster/glusterfs-specs
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
