Description of problem: If we mount any fuse filesystem in SELinux environment, SELinux labels it with type "fusefs_t". SELinux does not understand fuse subsystem, meaning that SELinux only understands FUSE not the actual file system which is built on top of fuse like glusterfs etc. So as of now all the different available FUSE filesystem are treated as same by SELinux. And when we try to change the context using chcon command we get "Operation not supported" error as below: [root@dhcp210-110 mnt]# mount | grep /mnt 10.65.233.230:pure-replica-3 on /mnt type fuse.glusterfs (rw,default_permissions,allow_other,max_read=131072) [root@dhcp210-110 mnt]# ll -Z drwxr-xr-x. root root system_u:object_r:fusefs_t:s0 bipin [root@dhcp210-110 /]# ps -ax | grep glusterfs | grep selinux 26661 ? Ssl 0:00 /usr/sbin/glusterfs --selinux --volfile-server=10.65.233.230 --volfile-id=pure-replica-3 /mnt [root@dhcp210-110 mnt]# chcon -t usr_t bipin/ chcon: failed to change context of `bipin/' to `system_u:object_r:usr_t:s0': Operation not supported <<---ERROR While checking for SELinux labeling support for FUSE subsystem, I found that a patch was submitted in Kernel long back and later it was reverted. Actual patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=102aefdda4d8275ce7d7100bc16c88c74272b260 Revert : http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d546f81717d253ab67643bf072c6d8821a9249c or http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29b1deb2a48a9dd02b93597aa4c055a24c0e989f
---------- Forwarded message ---------- From: Paul Moore <pmoore> Date: Fri, Oct 16, 2015 at 3:59 AM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Bipin Kunal <bkunal>, Eric Paris <eparis> Cc: Daniel J Walsh <dwalsh>, selinux-internal-list, Pranith Kumar Karampuri <pkarampu>, Brian Foster <bfoster>, Niels de Vos <ndevos> According to Eric the issue is that the sb->s_subtype information isn't available until after the security_sb_kern_mount() hook. From spending a little bit of time looking at the code just now, it appears that the subtype doesn't get set until after vfs_kern_mount() returns. It is also a bit annoying that the subtype doesn't appear to be propagated into vfs_kern_mount() which makes this more difficult. If we are going to solve this problem I suspect we will need to change vfs_kern_mount()/mount_fs() to pass the full fs type string into security_sb_kern_mount(). Does that sound right to you Eric, or am I missing something? -- paul moore security @ redhat
---------- Forwarded message ---------- From: Brian Foster <bfoster> Date: Fri, Oct 16, 2015 at 9:05 PM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Paul Moore <pmoore> Cc: Bipin Kunal <bkunal>, Eric Paris <eparis>, Daniel J Walsh <dwalsh>, selinux-internal-list, Pranith Kumar Karampuri <pkarampu>, Niels de Vos <ndevos> Something like the attached patch, perhaps? Note that this is quickly hacked together, completely untested and probably not something I would send upstream as-is. For one, any changes here should probably be included with the selinux bits for appropriate justification. I'd also expect to kill the vfs_kern_mount_subtype() hack as that was just for expediency (but I suppose that could be rfc'd just as well). Brian
Created attachment 1084265 [details] sample patch
---------- Forwarded message ---------- From: Paul Moore <pmoore> Date: Fri, Oct 16, 2015 at 11:42 PM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Brian Foster <bfoster>, Eric Paris <eparis> Cc: Bipin Kunal <bkunal>, Daniel J Walsh <dwalsh>, selinux-internal-list, Pranith Kumar Karampuri <pkarampu>, Niels de Vos <ndevos> I didn't look too closely, but yes, something like that. I do wonder if it would be possible to just change vfs_kern_mount() to take the subtype parameter and not bother with vfs_kern_mount_subtype(). Maybe not. You likely no more about what the VFS devs find acceptable than I do. However, I'd like to hear from Eric about what he remembers from when he touched this last time. I know he has moved on to the cloooooouuuud, but I'd like to try and avoid making the same mistakes twice. -- paul moore security @ redhat
---------- Forwarded message ---------- From: Brian Foster <bfoster> Date: Fri, Oct 16, 2015 at 11:58 PM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Paul Moore <pmoore> Cc: Eric Paris <eparis>, Bipin Kunal <bkunal>, Daniel J Walsh <dwalsh>, selinux-internal-list, Pranith Kumar Karampuri <pkarampu>, Niels de Vos <ndevos> As mentioned above, I only did that so I didn't have to go and change all of the other vfs_kern_mount() callers. :) We should probably kill that, but it's not necessary to see if the core change solves the problem with the original selinux patch (if we confirm that in fact was the original problem). Brian
---------- Forwarded message ---------- From: Paul Moore <pmoore> Date: Sat, Oct 17, 2015 at 12:10 AM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Brian Foster <bfoster> Cc: Eric Paris <eparis>, Bipin Kunal <bkunal>, Daniel J Walsh <dwalsh>, selinux-internal-list, Pranith Kumar Karampuri <pkarampu>, Niels de Vos <ndevos> Fair enough, it sounds like we're on the same page :) If I don't see anything from Eric by early next week I'll hunt him down on IRC and pick his brain a bit on this. -- paul moore security @ redhat
Hello All, Wondering if there is any solution yet for this issue? if there is please provide the link Suzu
I am spending too much time on this and not able to find an article that 100% says its doable. Suzu