Re: Steps needed to support SElinux over FUSE mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 02, 2015 at 08:26:45PM -0500, Paul Moore wrote:
> On Wednesday, December 02, 2015 01:02:00 PM Niels de Vos wrote:
> > Hi,
> > 
> > At the moment it is not possible to set an SElinux context over a FUSE
> > mount. This is because FUSE (in the kernel) does not support SElinux.
> > I'll try to explain what we need to accomplish to get this working.
> > 
> > 1. make it possible for SElinux to check sub-filesystems
> > 
> >    Currently SElinux only can check if a filesystem supports SElinux,
> >    based on the base filesystem. By default FUSE does not support
> >    SElinux, so it is not possible for sub-filesystems to support it
> >    either. When checking /proc/mounts a Gluster mount identifies itself
> >    with "fuse.glusterfs", which is <mainfs>.<subfs>.
> > 
> >    An experimental patch for the kernel has been attached to
> >    https://bugzilla.redhat.com/1272868
> 
> I'm not very knowledgeable about gluster so I don't have much constructive to 
> say about any of the points below, and my comments in the BZ above are still 
> valid.  I will say that I didn't have much luck getting a response from Eric, 
> but I don't think that should stop anything at this point; if the gluster 
> folks are okay with everything else, I have no problems with the proposed 
> SELinux kernel bits (that weren't already mentioned in the BZ).

The approach looks good, but did not have any success with our testing
yet. The patch applied and running with the test-kernel does not make it
possible yet to change the SElinux context with "chcon". Even mounting
with the additional "seclabel" mount option does not help with that (but
it looks like a no-op in the kernel sources anyway).

  # chcon -t home_user_t /mnt/README                                                                                                                                                                                           
  chcon: failed to change context of ‘/mnt/README’ to ‘system_u:object_r:home_user_t:s0’: Operation not supported

Systemtap shows that the subtype is set correctly in the super_block at
the time selinux_sb_kern_mount() is called. I'm not sure what else is
needed to make this work. A suggestion what to check from a SElinux side
is welcome. The audit.log does not contain anything relevant at the time
of the mounting, maybe there is a way to enable more verbose logging of
some kind?

  # stap vfs_kern_mount_subtype.stp
  Beginning probe, press CTRL+C to exit...
  vfs_kern_mount_subtype with subtype=glusterfs
  mount_fs with type=fuse, subtype=glusterfs
  security_sb_kern_mount with type=fuse, subtype=glusterfs
  selinux_sb_kern_mount with type=fuse, subtype=glusterfs
  selinux_parse_opts_str with options=seclabel


I've attached the systemtap script for reference.

Thanks,
Niels
#!/usr/bin/stap
#
# Script to help with investigation and debugging of the kernel patch posted at
# https://bugzilla.redhat.com/1272868
#
# This systemtap script will only work against a kernel that has the test-patch
# applied, otherwise you will get errors about unresolvable functions (most
# likely vfs_kern_mount_subtype).
#

probe begin
{
	printf("Beginning probe, press CTRL+C to exit...\n");
}

probe kernel.function("vfs_kern_mount_subtype")
{
	printf("vfs_kern_mount_subtype with subtype=%s\n",
	       kernel_string($subtype));
}

probe kernel.function("mount_fs")
{
	printf("mount_fs with type=%s, subtype=%s\n",
	       kernel_string($type->name), kernel_string($subtype));
}

probe kernel.function("security_sb_kern_mount"),
      kernel.function("selinux_sb_kern_mount")
{
	printf("%s with type=%s, subtype=%s\n", probefunc(),
	       kernel_string($sb->s_type->name),
	       kernel_string($sb->s_subtype));
}

probe kernel.function("selinux_parse_opts_str")
{
	printf("selinux_parse_opts_str with options=%s\n",
	       kernel_string($options));
}

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://www.gluster.org/mailman/listinfo/gluster-devel

[Index of Archives]     [Gluster Users]     [Ceph Users]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux