On Thu, Dec 03, 2015 at 10:30:49AM -0500, Brian Foster wrote: > On Thu, Dec 03, 2015 at 03:26:27PM +0100, Niels de Vos wrote: > > On Wed, Dec 02, 2015 at 08:26:45PM -0500, Paul Moore wrote: > > > On Wednesday, December 02, 2015 01:02:00 PM Niels de Vos wrote: > > > > Hi, > > > > > > > > At the moment it is not possible to set an SElinux context over a FUSE > > > > mount. This is because FUSE (in the kernel) does not support SElinux. > > > > I'll try to explain what we need to accomplish to get this working. > > > > > > > > 1. make it possible for SElinux to check sub-filesystems > > > > > > > > Currently SElinux only can check if a filesystem supports SElinux, > > > > based on the base filesystem. By default FUSE does not support > > > > SElinux, so it is not possible for sub-filesystems to support it > > > > either. When checking /proc/mounts a Gluster mount identifies itself > > > > with "fuse.glusterfs", which is <mainfs>.<subfs>. > > > > > > > > An experimental patch for the kernel has been attached to > > > > https://bugzilla.redhat.com/1272868 > > > > > > I'm not very knowledgeable about gluster so I don't have much constructive to > > > say about any of the points below, and my comments in the BZ above are still > > > valid. I will say that I didn't have much luck getting a response from Eric, > > > but I don't think that should stop anything at this point; if the gluster > > > folks are okay with everything else, I have no problems with the proposed > > > SELinux kernel bits (that weren't already mentioned in the BZ). > > > > The approach looks good, but did not have any success with our testing > > yet. The patch applied and running with the test-kernel does not make it > > possible yet to change the SElinux context with "chcon". Even mounting > > with the additional "seclabel" mount option does not help with that (but > > it looks like a no-op in the kernel sources anyway). > > > > # chcon -t home_user_t /mnt/README > > chcon: failed to change context of ‘/mnt/README’ to ‘system_u:object_r:home_user_t:s0’: Operation not supported > > > > Systemtap shows that the subtype is set correctly in the super_block at > > the time selinux_sb_kern_mount() is called. I'm not sure what else is > > needed to make this work. A suggestion what to check from a SElinux side > > is welcome. The audit.log does not contain anything relevant at the time > > of the mounting, maybe there is a way to enable more verbose logging of > > some kind? > > > > I believe fuse modifications are required to enable SELinux support via > xattrs. I had posted some prototype patches a ways back: > > http://sourceforge.net/p/fuse/mailman/fuse-devel/thread/1385389343-55663-1-git-send-email-bfoster%40redhat.com/#msg31678712 > > These patches basically add the ability for the userspace fs to enable > selinux in fuse, add the hooks for fuse to initialize security properly > on new inodes (fairly boilerplate if you take a look at some other linux > fs'), and add a notification mechanism to help userspace invalidate the > security context on remote context changes. Great, thanks! That looks surely like one of the pieces that I was missing. Looks straight forward enough to update the patches for a more current kernel, will let you know how that goes. > IIRC, the latter is required since otherwise the security context is > initialized on the in-memory inode once and never changed except via the > explicit chcon (setxattr?) path. Therefore, client A doesn't have any > clean way to notify the local kernel that the backend security context > has changed via a chcon on client B. Ok, with the upcall framework in Gluster we can now do cache-invalidation. It is not hooked into the FUSE client yet, but NFS-Ganesha already uses it through libgfapi. Adding this to the FUSE client should not be too much work (once FUSE in the kernel has the support for it). > I also think an selinux policy update that enables selinux via xattrs > support for "fuse.glusterfs" filesystems is a requirement to actually > test any of this stuff. My understanding is that the kernel subtype > thing is a requirement to distinguish glusterfs from other types of fuse > filesystems, but the actual policy enablement for such fuse.glusterfs > fs' is part of the userspace selinux-policy package. > > I have old, custom selinux-policy-3.12.1-95.fc21 rpm packages sitting > around here that you're welcome to, but they might be too old at this > point. I also might have prototype-level supporting code in glusterfs > for some of this stuff (e.g., xattr name translation, remote context > invalidation, etc.), but I'd have to dig around for that... I think this might be included in the Fedora package already. At least the package carries a patch that adds something for the fuse.glusterfs filesystem: http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/policy-rawhide-base.patch#n18117 Many thanks for the details, Niels > Brian > > > # stap vfs_kern_mount_subtype.stp > > Beginning probe, press CTRL+C to exit... > > vfs_kern_mount_subtype with subtype=glusterfs > > mount_fs with type=fuse, subtype=glusterfs > > security_sb_kern_mount with type=fuse, subtype=glusterfs > > selinux_sb_kern_mount with type=fuse, subtype=glusterfs > > selinux_parse_opts_str with options=seclabel > > > > > > I've attached the systemtap script for reference. > > > > Thanks, > > Niels > > > #!/usr/bin/stap > > # > > # Script to help with investigation and debugging of the kernel patch posted at > > # https://bugzilla.redhat.com/1272868 > > # > > # This systemtap script will only work against a kernel that has the test-patch > > # applied, otherwise you will get errors about unresolvable functions (most > > # likely vfs_kern_mount_subtype). > > # > > > > probe begin > > { > > printf("Beginning probe, press CTRL+C to exit...\n"); > > } > > > > probe kernel.function("vfs_kern_mount_subtype") > > { > > printf("vfs_kern_mount_subtype with subtype=%s\n", > > kernel_string($subtype)); > > } > > > > probe kernel.function("mount_fs") > > { > > printf("mount_fs with type=%s, subtype=%s\n", > > kernel_string($type->name), kernel_string($subtype)); > > } > > > > probe kernel.function("security_sb_kern_mount"), > > kernel.function("selinux_sb_kern_mount") > > { > > printf("%s with type=%s, subtype=%s\n", probefunc(), > > kernel_string($sb->s_type->name), > > kernel_string($sb->s_subtype)); > > } > > > > probe kernel.function("selinux_parse_opts_str") > > { > > printf("selinux_parse_opts_str with options=%s\n", > > kernel_string($options)); > > } > > >
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
