Bug 1291606 - RFE: Add support for filesystem subtypes in SELinux
RFE: Add support for filesystem subtypes in SELinux
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: kernel (Show other bugs)
7.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Paul Moore
Filesystem QE
: FutureFeature, Reproducer
Depends On: 1272868
Blocks: 1230671 1256635 1408949 1468983
  Show dependency treegraph
 
Reported: 2015-12-15 04:25 EST by Bipin Kunal
Modified: 2017-07-11 05:50 EDT (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1272868
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bipin Kunal 2015-12-15 04:25:16 EST
+++ This bug was initially created as a clone of Bug #1272868 +++

Description of problem:

If we mount any fuse filesystem in SELinux environment, SELinux labels it with type "fusefs_t".
SELinux does not understand fuse subsystem, meaning that SELinux only understands FUSE not the actual file system which is built on top of fuse like glusterfs etc.

So as of now all the different available FUSE filesystem are treated as same by SELinux.

And when we try to change the context using chcon command we get "Operation not supported" error as below:

[root@dhcp210-110 mnt]# mount | grep /mnt
10.65.233.230:pure-replica-3 on /mnt type fuse.glusterfs (rw,default_permissions,allow_other,max_read=131072)

[root@dhcp210-110 mnt]# ll -Z 
drwxr-xr-x. root root system_u:object_r:fusefs_t:s0    bipin

[root@dhcp210-110 /]# ps -ax | grep glusterfs | grep selinux
26661 ?        Ssl    0:00 /usr/sbin/glusterfs --selinux --volfile-server=10.65.233.230 --volfile-id=pure-replica-3 /mnt

[root@dhcp210-110 mnt]# chcon -t usr_t bipin/
chcon: failed to change context of `bipin/' to `system_u:object_r:usr_t:s0': Operation not supported  <<---ERROR


While checking for SELinux labeling support for FUSE subsystem, I found that a patch was submitted in Kernel long back and later it was reverted.

Actual patch: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=102aefdda4d8275ce7d7100bc16c88c74272b260

Revert : 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d546f81717d253ab67643bf072c6d8821a9249c

or

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29b1deb2a48a9dd02b93597aa4c055a24c0e989f

--- Additional comment from Bipin Kunal on 2015-10-19 02:12:25 EDT ---

---------- Forwarded message ----------
From: Paul Moore <pmoore@redhat.com>
Date: Fri, Oct 16, 2015 at 3:59 AM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Bipin Kunal <bkunal@redhat.com>, Eric Paris <eparis@redhat.com>
Cc: Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Brian Foster <bfoster@redhat.com>, Niels de Vos <ndevos@redhat.com>

According to Eric the issue is that the sb->s_subtype information isn't
available until after the security_sb_kern_mount() hook.  From spending a
little bit of time looking at the code just now, it appears that the subtype
doesn't get set until after vfs_kern_mount() returns.

It is also a bit annoying that the subtype doesn't appear to be propagated
into vfs_kern_mount() which makes this more difficult.  If we are going to
solve this problem I suspect we will need to change
vfs_kern_mount()/mount_fs() to pass the full fs type string into
security_sb_kern_mount().  Does that sound right to you Eric, or am I missing
something?

--
paul moore
security @ redhat

--- Additional comment from Bipin Kunal on 2015-10-19 02:13:20 EDT ---

---------- Forwarded message ----------
From: Brian Foster <bfoster@redhat.com>
Date: Fri, Oct 16, 2015 at 9:05 PM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Paul Moore <pmoore@redhat.com>
Cc: Bipin Kunal <bkunal@redhat.com>, Eric Paris <eparis@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>

Something like the attached patch, perhaps? Note that this is quickly
hacked together, completely untested and probably not something I would
send upstream as-is. For one, any changes here should probably be
included with the selinux bits for appropriate justification. I'd also
expect to kill the vfs_kern_mount_subtype() hack as that was just for
expediency (but I suppose that could be rfc'd just as well).

Brian

--- Additional comment from Bipin Kunal on 2015-10-19 02:14 EDT ---



--- Additional comment from Bipin Kunal on 2015-10-19 02:14:52 EDT ---

---------- Forwarded message ----------
From: Paul Moore <pmoore@redhat.com>
Date: Fri, Oct 16, 2015 at 11:42 PM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Brian Foster <bfoster@redhat.com>, Eric Paris <eparis@redhat.com>
Cc: Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>

I didn't look too closely, but yes, something like that.  I do wonder if it
would be possible to just change vfs_kern_mount() to take the subtype
parameter and not bother with vfs_kern_mount_subtype().  Maybe not.  You
likely no more about what the VFS devs find acceptable than I do.

However, I'd like to hear from Eric about what he remembers from when he
touched this last time.  I know he has moved on to the cloooooouuuud, but I'd
like to try and avoid making the same mistakes twice.

--
paul moore
security @ redhat

--- Additional comment from Bipin Kunal on 2015-10-19 02:15:38 EDT ---


---------- Forwarded message ----------
From: Brian Foster <bfoster@redhat.com>
Date: Fri, Oct 16, 2015 at 11:58 PM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Paul Moore <pmoore@redhat.com>
Cc: Eric Paris <eparis@redhat.com>, Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>

As mentioned above, I only did that so I didn't have to go and change
all of the other vfs_kern_mount() callers. :) We should probably kill
that, but it's not necessary to see if the core change solves the
problem with the original selinux patch (if we confirm that in fact was
the original problem).

Brian

--- Additional comment from Bipin Kunal on 2015-10-19 02:16:04 EDT ---

---------- Forwarded message ----------
From: Paul Moore <pmoore@redhat.com>
Date: Sat, Oct 17, 2015 at 12:10 AM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Brian Foster <bfoster@redhat.com>
Cc: Eric Paris <eparis@redhat.com>, Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>


Fair enough, it sounds like we're on the same page :)

If I don't see anything from Eric by early next week I'll hunt him down on IRC
and pick his brain a bit on this.

--
paul moore
security @ redhat
Comment 2 Bipin Kunal 2016-01-19 07:15:38 EST
Paul,

Can we prioritize this Bug?

Thanks,
Bipin Kunal
Comment 3 Paul Moore 2016-01-19 08:53:54 EST
(In reply to Bipin Kunal from comment #2)
> Paul,
> 
> Can we prioritize this Bug?

Considering that this is a RFE, not a bug/regression, and we do not currently have any serious patches implementing this feature, just some basic design discussions, I don't believe this is suitable for RHEL7.3.  We can revisit this feature in the RHEL7.4 timeframe.  In the meantime, if you have any customer requirements or any other material that you feel would be helpful in setting priorities, I would suggest you leave a comment in this BZ.
Comment 5 Daniel Walsh 2016-02-26 15:50:58 EST
Can we get this into Fedora release?
Comment 6 Paul Moore 2016-02-26 16:27:35 EST
Sure, once we have it fixed upstream ... and we currently don't have it fixed upstream.

Note You need to log in before you can comment on or make changes to this bug.