On Wednesday, December 02, 2015 01:02:00 PM Niels de Vos wrote: > Hi, > > At the moment it is not possible to set an SElinux context over a FUSE > mount. This is because FUSE (in the kernel) does not support SElinux. > I'll try to explain what we need to accomplish to get this working. > > 1. make it possible for SElinux to check sub-filesystems > > Currently SElinux only can check if a filesystem supports SElinux, > based on the base filesystem. By default FUSE does not support > SElinux, so it is not possible for sub-filesystems to support it > either. When checking /proc/mounts a Gluster mount identifies itself > with "fuse.glusterfs", which is <mainfs>.<subfs>. > > An experimental patch for the kernel has been attached to > https://bugzilla.redhat.com/1272868 I'm not very knowledgeable about gluster so I don't have much constructive to say about any of the points below, and my comments in the BZ above are still valid. I will say that I didn't have much luck getting a response from Eric, but I don't think that should stop anything at this point; if the gluster folks are okay with everything else, I have no problems with the proposed SELinux kernel bits (that weren't already mentioned in the BZ). > 2. inform FUSE that the glusterfs sub-filesystem supports SElinux > > Mount options are passed on to the FUSE kernel module when mounting > takes place. Some options are user-space process specific and can get > filtered out, whereas others are passed to FUSE. We probably should > pass the "selinux" mount option on to the kernel (if not done > already). This includes making sure that other SElinux related mount > options are valid and applied (check /sbin/mount.glusterfs script?). > > > 3. secured brick processes, storage servers in enforcing mode > > Brick processes may only read/write contents in the brick directories > that have SElinux type glusterd_brick_t. This means that when a > client sets/reads a security.selinux extended attribute over a > mountpoint, the brick process needs to convert the request to a > trusted.gluster.selinux xattr. The security.selinux xattr on the > brick is used by the kernel on the storage server to prevent > unauthorized access to the contents in the brick directories. A > conversion security.selinux<->trusted.gluster.selinux could be done > in the Posix xlator, or in a new selinux one. > > Related to this last point, add-brick (and remove-brick?) would need > to take care to set the right contexts of the brick directories. A > patch that adds helper scripts has been posted quite a while back > already: http://review.gluster.org/6630 > > > 4. do we need to add libgfapi functions? > > Not sure about this point yet. Maybe Samba, NFS-Ganesha (for labelled > NFS) or QEMU would like to be able to set specific SElinux contexts. > It would probably be cleaner to do this through an API call and not > have the applications set the security.selinux xattr itself. > > Comments on this are much appreciated. Let me know if Manikandan and I > have missed something and we'll make sure to add it. Once we have > received a few replies, we will also post a description of how it all > hangs together to the glusterfs-specs repository [1]. > > Thanks, > Manikandan & Niels > > 1. https://github.com/gluster/glusterfs-specs -- paul moore security @ redhat _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
