Bug 1252627
Summary: | Cannot set selinux context on files in on a glusterfs mount | |||
---|---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Bob Arendt <rda> | |
Component: | unclassified | Assignee: | bugs <bugs> | |
Status: | CLOSED DEFERRED | QA Contact: | ||
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 3.7.3 | CC: | bugs, howey.vernon, justin, mselvaga, ndevos, rcyriac, sankarshan, sebastian.gumprich | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1256635 (view as bug list) | Environment: | ||
Last Closed: | 2016-06-30 10:51:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1318100 | |||
Bug Blocks: | 1256635, 1563506 |
Description
Bob Arendt
2015-08-11 23:12:50 UTC
The man pages for glusterd, glusterfs, and glusterfsd processes indicate that they take a --selinux flag. I tried applying this by hacking the glusterd code to add it - without success. I tried: /etc/sysconfig/glusterd add GLUSTERD_OPTIONS='--selinux' Patch the glusterfs-3.7.3 build: --- SPECS/glusterfs.spec_orig 2015-08-25 00:38:13.610000109 +0000 +++ SPECS/glusterfs.spec 2015-08-26 00:26:26.793000286 +0000 @@ -165,7 +165,7 @@ %if ( 0%{_for_fedora_koji_builds} ) Name: glusterfs Version: 3.7.3 -Release: 1%{?prereltag:.%{prereltag}}%{?dist} +Release: 4%{?prereltag:.%{prereltag}}%{?dist}rda Vendor: Fedora Project %else Name: @PACKAGE_NAME@ @@ -187,6 +187,8 @@ Source0: @PACKAGE_NAME@-@PACKAGE_VERSION@.tar.gz %endif +Patch0: glusterd-3.7.3-selinux.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) %if ( 0%{?rhel} && 0%{?rhel} <= 5 ) @@ -595,6 +597,7 @@ %prep %setup -q -n %{name}-%{version}%{?prereltag} +%patch0 -p1 -b .selinux %build # For whatever reason, install-sh is sometimes missing. When this gets fixed, ----------------------------------------- $ cat SOURCES/glusterd-3.7.3-selinux.patch --- ./xlators/mgmt/glusterd/src/glusterd-quota.c_orig 2015-08-26 00:21:01.186000302 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-quota.c 2015-08-26 00:22:04.272000274 +0000 @@ -246,6 +246,7 @@ runinit (&runner); runner_add_args (&runner, SBIN_DIR"/glusterfs", + "--selinux", "-s", "localhost", "--volfile-id", volname, "--use-readdirp=no", --- ./xlators/mgmt/glusterd/src/glusterd-volume-ops.c_orig 2015-08-26 00:21:01.195000301 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-volume-ops.c 2015-08-26 00:22:42.866000330 +0000 @@ -2770,7 +2770,7 @@ runinit (&runner); glusterd_get_trusted_client_filepath (client_volfpath, volinfo, volinfo->transport_type); - runner_add_args (&runner, SBIN_DIR"/glusterfs", "-f", NULL); + runner_add_args (&runner, SBIN_DIR"/glusterfs", "-f", NULL, "--selinux"); runner_argprintf (&runner, "%s", client_volfpath); runner_add_arg (&runner, "-l"); runner_argprintf (&runner, DEFAULT_LOG_FILE_DIRECTORY --- ./xlators/mgmt/glusterd/src/glusterd-mountbroker.c_orig 2015-08-26 00:21:01.185000302 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-mountbroker.c 2015-08-26 00:21:54.417000313 +0000 @@ -659,6 +659,7 @@ runinit (&runner); runner_add_arg (&runner, SBIN_DIR"/glusterfs"); + runner_add_arg (&runner, "--selinux"); seq_dict_foreach (argdict, _runner_add, &runner); runner_add_arg (&runner, mtptemp); ret = runner_run_reuse (&runner); --- ./xlators/mgmt/glusterd/src/glusterd-rebalance.c_orig 2015-08-26 00:21:01.188000301 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-rebalance.c 2015-08-26 00:22:14.668000295 +0000 @@ -261,6 +261,7 @@ snprintf (volname, sizeof(volname), "rebalance/%s", volinfo->volname); runner_add_args (&runner, SBIN_DIR"/glusterfs", + "--selinux", "-s", "localhost", "--volfile-id", volname, "--xlator-option", "*dht.use-readdirp=yes", "--xlator-option", "*dht.lookup-unhashed=yes", --- ./xlators/mgmt/glusterd/src/glusterd-replace-brick.c_orig 2015-08-26 00:21:01.189000301 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-replace-brick.c 2015-08-26 00:22:18.535000291 +0000 @@ -83,6 +83,7 @@ runinit (&runner); runner_add_args (&runner, SBIN_DIR"/glusterfs", + "--selinux", "-s", "localhost", "--volfile-id", volinfo->volname, "--client-pid", pid, --- ./xlators/mgmt/glusterd/src/glusterd-snapd-svc.c_orig 2015-08-26 00:21:01.191000299 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-snapd-svc.c 2015-08-26 00:22:22.317000303 +0000 @@ -287,6 +287,7 @@ snprintf (snapd_id, sizeof (snapd_id), "snapd-%s", volinfo->volname); runner_add_args (&runner, SBIN_DIR"/glusterfsd", + "--selinux", "-s", svc->proc.volfileserver, "--volfile-id", svc->proc.volfileid, "-p", svc->proc.pidfile, --- ./xlators/mgmt/glusterd/src/glusterd-utils.c_orig 2015-08-26 00:21:01.193000300 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-utils.c 2015-08-26 00:22:32.278000299 +0000 @@ -1620,6 +1620,7 @@ (void) snprintf (glusterd_uuid, 1024, "*-posix.glusterd-uuid=%s", uuid_utoa (MY_UUID)); runner_add_args (&runner, SBIN_DIR"/glusterfsd", + "--selinux", "-s", brickinfo->hostname, "--volfile-id", volfile, "-p", pidfile, "-S", socketpath, "--brick-name", brickinfo->path, --- ./xlators/mgmt/glusterd/src/glusterd-svc-mgmt.c_orig 2015-08-26 00:21:01.192000299 +0000 +++ ./xlators/mgmt/glusterd/src/glusterd-svc-mgmt.c 2015-08-26 00:22:28.821000303 +0000 @@ -182,6 +182,7 @@ } runner_add_args (&runner, SBIN_DIR"/glusterfs", + "--selinux", "-s", svc->proc.volfileserver, "--volfile-id", svc->proc.volfileid, "-p", svc->proc.pidfile, ----------------------------------------- Although this applies --selinux to all processes: # ps -eo args |grep glust /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid --selinux /usr/sbin/glusterfsd --selinux -s ga --volfile-id gvol.ga.b1 -p /var/lib/glusterd/vols/gvol/run/ga-b1.pid -S /var/run/gluster/11753d16ee8a048e5f9b2331cbcfd4c7.socket --brick-name /b1 -l /var/log/glusterfs/bricks/b1.log --xlator-option *-posix.glusterd-uuid=6f491c3b-53d5-4928-8435-6c3d84f3ce53 --brick-port 49152 --xlator-option gvol-server.listen-port=49152 /usr/sbin/glusterfs --selinux -s localhost --volfile-id gluster/glustershd -p /var/lib/glusterd/glustershd/run/glustershd.pid -l /var/log/glusterfs/glustershd.log -S /var/run/gluster/6502d8ef42d50130bd676cf9ef26c76d.socket --xlator-option *replicate*.node-uuid=6f491c3b-53d5-4928-8435-6c3d84f3ce53 /usr/sbin/glusterfs --selinux --volfile-server=localhost --volfile-id=/gvol /data .. I still see the same error using chcon. So something deeper in the code seems to be missing. Anyone have an idea where the disconnect is? Ping, this is being referenced externally as well: https://github.com/CiscoCloud/microservices-infrastructure/issues/867#issuecomment-159730627 Not that this bug depends on #1318100. Until that is resolved, Gluster will not be able to change the SELinux labels. The standard SELinux mount options to set specific labels for the whole mounted Gluster volume can be used (like "context", see #1287877 and http://review.gluster.org/12870). https://bugzilla.redhat.com/show_bug.cgi?id=1318100#c1 also contains some more details, and points to a discussion on the mailinglist: > At the moment it is not possible to set the SELinux context on a mounted > Gluster Volume. We intend to have this functionality added to the Gluster core, > and from there on add support to additional layers (FUSE, Labelled NFS, ...). > > More details are listed in a conversation on the Gluster developers list: > http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/13071e This is not something that we'll be able to backport to 3.7 or 3.8. We might be able to get initial support in GlusterFS 3.9. Changes to the kernel to support SELinux over FUSE might not be ready by that time though. I'm closing this as DEFERRED, because SELinux support on Gluster volumes will not happen in 3.7. |