On Wed, Dec 02, 2015 at 08:26:45PM -0500, Paul Moore wrote: > On Wednesday, December 02, 2015 01:02:00 PM Niels de Vos wrote: > > Hi, > > > > At the moment it is not possible to set an SElinux context over a FUSE > > mount. This is because FUSE (in the kernel) does not support SElinux. > > I'll try to explain what we need to accomplish to get this working. > > > > 1. make it possible for SElinux to check sub-filesystems > > > > Currently SElinux only can check if a filesystem supports SElinux, > > based on the base filesystem. By default FUSE does not support > > SElinux, so it is not possible for sub-filesystems to support it > > either. When checking /proc/mounts a Gluster mount identifies itself > > with "fuse.glusterfs", which is <mainfs>.<subfs>. > > > > An experimental patch for the kernel has been attached to > > https://bugzilla.redhat.com/1272868 > > I'm not very knowledgeable about gluster so I don't have much constructive to > say about any of the points below, and my comments in the BZ above are still > valid. I will say that I didn't have much luck getting a response from Eric, > but I don't think that should stop anything at this point; if the gluster > folks are okay with everything else, I have no problems with the proposed > SELinux kernel bits (that weren't already mentioned in the BZ). The approach looks good, but did not have any success with our testing yet. The patch applied and running with the test-kernel does not make it possible yet to change the SElinux context with "chcon". Even mounting with the additional "seclabel" mount option does not help with that (but it looks like a no-op in the kernel sources anyway). # chcon -t home_user_t /mnt/README chcon: failed to change context of ‘/mnt/README’ to ‘system_u:object_r:home_user_t:s0’: Operation not supported Systemtap shows that the subtype is set correctly in the super_block at the time selinux_sb_kern_mount() is called. I'm not sure what else is needed to make this work. A suggestion what to check from a SElinux side is welcome. The audit.log does not contain anything relevant at the time of the mounting, maybe there is a way to enable more verbose logging of some kind? # stap vfs_kern_mount_subtype.stp Beginning probe, press CTRL+C to exit... vfs_kern_mount_subtype with subtype=glusterfs mount_fs with type=fuse, subtype=glusterfs security_sb_kern_mount with type=fuse, subtype=glusterfs selinux_sb_kern_mount with type=fuse, subtype=glusterfs selinux_parse_opts_str with options=seclabel I've attached the systemtap script for reference. Thanks, Niels
#!/usr/bin/stap # # Script to help with investigation and debugging of the kernel patch posted at # https://bugzilla.redhat.com/1272868 # # This systemtap script will only work against a kernel that has the test-patch # applied, otherwise you will get errors about unresolvable functions (most # likely vfs_kern_mount_subtype). # probe begin { printf("Beginning probe, press CTRL+C to exit...\n"); } probe kernel.function("vfs_kern_mount_subtype") { printf("vfs_kern_mount_subtype with subtype=%s\n", kernel_string($subtype)); } probe kernel.function("mount_fs") { printf("mount_fs with type=%s, subtype=%s\n", kernel_string($type->name), kernel_string($subtype)); } probe kernel.function("security_sb_kern_mount"), kernel.function("selinux_sb_kern_mount") { printf("%s with type=%s, subtype=%s\n", probefunc(), kernel_string($sb->s_type->name), kernel_string($sb->s_subtype)); } probe kernel.function("selinux_parse_opts_str") { printf("selinux_parse_opts_str with options=%s\n", kernel_string($options)); }
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
