Bug 1230671

Summary: SELinux not supported with FUSE client
Product: [Community] GlusterFS Reporter: Vladimir Mitiouchev <vovcia>
Component: fuseAssignee: Csaba Henk <csaba>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: mainlineCC: bugs, howey.vernon, jstrunk, martin, ndevos, rcyriac, r.medina, smohan
Target Milestone: ---Keywords: FutureFeature, SELinux, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-20 09:09:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1272868, 1291606, 1318100, 1683899    
Bug Blocks:    

Description Vladimir Mitiouchev 2015-06-11 10:32:22 UTC 
GlusterFS with native FUSE client doesn't support xattr / SELinux labeling.

Steps to Reproduce:
1. mount -t glusterfs -o selinux host:/gv1 /gv1
2. chcon -t default_t /gv1/input.txt 

Actual results:
chcon: failed to change context of /gv1/input.txt to system_u:object_r:default_t:s0: Operation not supported

Expected results:
no error

Additional info:
SELinux is running in Permissive mode.
Comment 1 Joe Julian 2015-10-28 18:46:37 UTC 
Attempting to duplicate this by setting the security.selinux attribute using setfattr, the attribute call never makes it to glusterfs. It appears this must be being blocked in the kernel fuse module.
Comment 2 Niels de Vos 2015-10-29 08:35:49 UTC 
This is not an issue that glusterfs-fuse can solve. SElinux in the kernel needs to detect if the filesystem supports SElinux. Not all fuse filesystems offer this support, so SElinux is not enabled for any fuse filesystem at the moment.

There is a task for the SElinux kernel devs to improve the handling of sub-filesystems, like "glusterfs" is a sub-filesystem of "fuse". When this feature is available in the kernel, Gluster can benefit from it and we should test again.

More details about the kernel side of things are in bug 1272868.
Comment 3 Niels de Vos 2016-03-20 12:25:31 UTC 
There are several parts that need to get done before it is possible to set an SELinux context over FUSE mounts. We are working on getting the changes in the core Gluster part done for glusterfs-3.8.0 (see bug 1318100). More details can be found in this email:

  http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/13071

There is no chance that this gets backported to glusterfs-3.7.x, so I'm setting the version to 'mainline' for now.
Comment 4 Niels de Vos 2018-07-02 07:37:13 UTC 
*** Bug 1596918 has been marked as a duplicate of this bug. ***
Comment 5 Vijay Bellur 2018-11-20 09:39:05 UTC 
Migrated to github:

https://github.com/gluster/glusterfs/issues/593

Please follow the github issue for further updates on this bug.