+++ This bug was initially created as a clone of Bug #1272868 +++

Description of problem:

If we mount any fuse filesystem in SELinux environment, SELinux labels it with type "fusefs_t".
SELinux does not understand fuse subsystem, meaning that SELinux only understands FUSE not the actual file system which is built on top of fuse like glusterfs etc.

So as of now all the different available FUSE filesystem are treated as same by SELinux.

And when we try to change the context using chcon command we get "Operation not supported" error as below:

[root@dhcp210-110 mnt]# mount | grep /mnt
10.65.233.230:pure-replica-3 on /mnt type fuse.glusterfs (rw,default_permissions,allow_other,max_read=131072)

[root@dhcp210-110 mnt]# ll -Z 
drwxr-xr-x. root root system_u:object_r:fusefs_t:s0    bipin

[root@dhcp210-110 /]# ps -ax | grep glusterfs | grep selinux
26661 ?        Ssl    0:00 /usr/sbin/glusterfs --selinux --volfile-server=10.65.233.230 --volfile-id=pure-replica-3 /mnt

[root@dhcp210-110 mnt]# chcon -t usr_t bipin/
chcon: failed to change context of `bipin/' to `system_u:object_r:usr_t:s0': Operation not supported  <<---ERROR


While checking for SELinux labeling support for FUSE subsystem, I found that a patch was submitted in Kernel long back and later it was reverted.

Actual patch: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=102aefdda4d8275ce7d7100bc16c88c74272b260

Revert : 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4d546f81717d253ab67643bf072c6d8821a9249c

or

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29b1deb2a48a9dd02b93597aa4c055a24c0e989f

--- Additional comment from Bipin Kunal on 2015-10-19 02:12:25 EDT ---

---------- Forwarded message ----------
From: Paul Moore <pmoore@redhat.com>
Date: Fri, Oct 16, 2015 at 3:59 AM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Bipin Kunal <bkunal@redhat.com>, Eric Paris <eparis@redhat.com>
Cc: Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Brian Foster <bfoster@redhat.com>, Niels de Vos <ndevos@redhat.com>

According to Eric the issue is that the sb->s_subtype information isn't
available until after the security_sb_kern_mount() hook.  From spending a
little bit of time looking at the code just now, it appears that the subtype
doesn't get set until after vfs_kern_mount() returns.

It is also a bit annoying that the subtype doesn't appear to be propagated
into vfs_kern_mount() which makes this more difficult.  If we are going to
solve this problem I suspect we will need to change
vfs_kern_mount()/mount_fs() to pass the full fs type string into
security_sb_kern_mount().  Does that sound right to you Eric, or am I missing
something?

--
paul moore
security @ redhat

--- Additional comment from Bipin Kunal on 2015-10-19 02:13:20 EDT ---

---------- Forwarded message ----------
From: Brian Foster <bfoster@redhat.com>
Date: Fri, Oct 16, 2015 at 9:05 PM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Paul Moore <pmoore@redhat.com>
Cc: Bipin Kunal <bkunal@redhat.com>, Eric Paris <eparis@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>

Something like the attached patch, perhaps? Note that this is quickly
hacked together, completely untested and probably not something I would
send upstream as-is. For one, any changes here should probably be
included with the selinux bits for appropriate justification. I'd also
expect to kill the vfs_kern_mount_subtype() hack as that was just for
expediency (but I suppose that could be rfc'd just as well).

Brian

--- Additional comment from Bipin Kunal on 2015-10-19 02:14 EDT ---



--- Additional comment from Bipin Kunal on 2015-10-19 02:14:52 EDT ---

---------- Forwarded message ----------
From: Paul Moore <pmoore@redhat.com>
Date: Fri, Oct 16, 2015 at 11:42 PM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Brian Foster <bfoster@redhat.com>, Eric Paris <eparis@redhat.com>
Cc: Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>

I didn't look too closely, but yes, something like that.  I do wonder if it
would be possible to just change vfs_kern_mount() to take the subtype
parameter and not bother with vfs_kern_mount_subtype().  Maybe not.  You
likely no more about what the VFS devs find acceptable than I do.

However, I'd like to hear from Eric about what he remembers from when he
touched this last time.  I know he has moved on to the cloooooouuuud, but I'd
like to try and avoid making the same mistakes twice.

--
paul moore
security @ redhat

--- Additional comment from Bipin Kunal on 2015-10-19 02:15:38 EDT ---


---------- Forwarded message ----------
From: Brian Foster <bfoster@redhat.com>
Date: Fri, Oct 16, 2015 at 11:58 PM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Paul Moore <pmoore@redhat.com>
Cc: Eric Paris <eparis@redhat.com>, Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>

As mentioned above, I only did that so I didn't have to go and change
all of the other vfs_kern_mount() callers. :) We should probably kill
that, but it's not necessary to see if the core change solves the
problem with the original selinux patch (if we confirm that in fact was
the original problem).

Brian

--- Additional comment from Bipin Kunal on 2015-10-19 02:16:04 EDT ---

---------- Forwarded message ----------
From: Paul Moore <pmoore@redhat.com>
Date: Sat, Oct 17, 2015 at 12:10 AM
Subject: Re: [selinux-internal] Selinux labeling for FUSE subsystem
To: Brian Foster <bfoster@redhat.com>
Cc: Eric Paris <eparis@redhat.com>, Bipin Kunal <bkunal@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>, selinux-internal-list@redhat.com, Pranith Kumar Karampuri <pkarampu@redhat.com>, Niels de Vos <ndevos@redhat.com>


Fair enough, it sounds like we're on the same page :)

If I don't see anything from Eric by early next week I'll hunt him down on IRC
and pick his brain a bit on this.

--
paul moore
security @ redhat