Hide Forgot
+++ This bug was initially created as a clone of Bug #1272868 +++ Description of problem: If we mount any fuse filesystem in SELinux environment, SELinux labels it with type "fusefs_t". SELinux does not understand fuse subsystem, meaning that SELinux only understands FUSE not the actual file system which is built on top of fuse like glusterfs etc. So as of now all the different available FUSE filesystem are treated as same by SELinux. And when we try to change the context using chcon command we get "Operation not supported" error as below: [root@dhcp210-110 mnt]# mount | grep /mnt 10.65.233.230:pure-replica-3 on /mnt type fuse.glusterfs (rw,default_permissions,allow_other,max_read=131072) [root@dhcp210-110 mnt]# ll -Z drwxr-xr-x. root root system_u:object_r:fusefs_t:s0 bipin [root@dhcp210-110 /]# ps -ax | grep glusterfs | grep selinux 26661 ? Ssl 0:00 /usr/sbin/glusterfs --selinux --volfile-server=10.65.233.230 --volfile-id=pure-replica-3 /mnt [root@dhcp210-110 mnt]# chcon -t usr_t bipin/ chcon: failed to change context of `bipin/' to `system_u:object_r:usr_t:s0': Operation not supported <<---ERROR While checking for SELinux labeling support for FUSE subsystem, I found that a patch was submitted in Kernel long back and later it was reverted. Actual patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=102aefdda4d8275ce7d7100bc16c88c74272b260 Revert : http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d546f81717d253ab67643bf072c6d8821a9249c or http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29b1deb2a48a9dd02b93597aa4c055a24c0e989f --- Additional comment from Bipin Kunal on 2015-10-19 02:12:25 EDT --- ---------- Forwarded message ---------- From: Paul Moore <pmoore@redhat.com> Date: Fri, Oct 16, 2015 at 3:59 AM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Bipin Kunal <bkunal@redhat.com>, Eric Paris <eparis@redhat.com> Cc: Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Brian Foster <bfoster@redhat.com>, Niels de Vos <ndevos@redhat.com> According to Eric the issue is that the sb->s_subtype information isn't available until after the security_sb_kern_mount() hook. From spending a little bit of time looking at the code just now, it appears that the subtype doesn't get set until after vfs_kern_mount() returns. It is also a bit annoying that the subtype doesn't appear to be propagated into vfs_kern_mount() which makes this more difficult. If we are going to solve this problem I suspect we will need to change vfs_kern_mount()/mount_fs() to pass the full fs type string into security_sb_kern_mount(). Does that sound right to you Eric, or am I missing something? -- paul moore security @ redhat --- Additional comment from Bipin Kunal on 2015-10-19 02:13:20 EDT --- ---------- Forwarded message ---------- From: Brian Foster <bfoster@redhat.com> Date: Fri, Oct 16, 2015 at 9:05 PM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Paul Moore <pmoore@redhat.com> Cc: Bipin Kunal <bkunal@redhat.com>, Eric Paris <eparis@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com> Something like the attached patch, perhaps? Note that this is quickly hacked together, completely untested and probably not something I would send upstream as-is. For one, any changes here should probably be included with the selinux bits for appropriate justification. I'd also expect to kill the vfs_kern_mount_subtype() hack as that was just for expediency (but I suppose that could be rfc'd just as well). Brian --- Additional comment from Bipin Kunal on 2015-10-19 02:14 EDT --- --- Additional comment from Bipin Kunal on 2015-10-19 02:14:52 EDT --- ---------- Forwarded message ---------- From: Paul Moore <pmoore@redhat.com> Date: Fri, Oct 16, 2015 at 11:42 PM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Brian Foster <bfoster@redhat.com>, Eric Paris <eparis@redhat.com> Cc: Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com> I didn't look too closely, but yes, something like that. I do wonder if it would be possible to just change vfs_kern_mount() to take the subtype parameter and not bother with vfs_kern_mount_subtype(). Maybe not. You likely no more about what the VFS devs find acceptable than I do. However, I'd like to hear from Eric about what he remembers from when he touched this last time. I know he has moved on to the cloooooouuuud, but I'd like to try and avoid making the same mistakes twice. -- paul moore security @ redhat --- Additional comment from Bipin Kunal on 2015-10-19 02:15:38 EDT --- ---------- Forwarded message ---------- From: Brian Foster <bfoster@redhat.com> Date: Fri, Oct 16, 2015 at 11:58 PM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Paul Moore <pmoore@redhat.com> Cc: Eric Paris <eparis@redhat.com>, Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com> As mentioned above, I only did that so I didn't have to go and change all of the other vfs_kern_mount() callers. :) We should probably kill that, but it's not necessary to see if the core change solves the problem with the original selinux patch (if we confirm that in fact was the original problem). Brian --- Additional comment from Bipin Kunal on 2015-10-19 02:16:04 EDT --- ---------- Forwarded message ---------- From: Paul Moore <pmoore@redhat.com> Date: Sat, Oct 17, 2015 at 12:10 AM Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem To: Brian Foster <bfoster@redhat.com> Cc: Eric Paris <eparis@redhat.com>, Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com> Fair enough, it sounds like we're on the same page :) If I don't see anything from Eric by early next week I'll hunt him down on IRC and pick his brain a bit on this. -- paul moore security @ redhat
Paul, Can we prioritize this Bug? Thanks, Bipin Kunal
(In reply to Bipin Kunal from comment #2) > Paul, > > Can we prioritize this Bug? Considering that this is a RFE, not a bug/regression, and we do not currently have any serious patches implementing this feature, just some basic design discussions, I don't believe this is suitable for RHEL7.3. We can revisit this feature in the RHEL7.4 timeframe. In the meantime, if you have any customer requirements or any other material that you feel would be helpful in setting priorities, I would suggest you leave a comment in this BZ.
Can we get this into Fedora release?
Sure, once we have it fixed upstream ... and we currently don't have it fixed upstream.
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.