RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1814689 - Enable SELinux on CephFS
Summary: Enable SELinux on CephFS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.3
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
: 1496492 1767402 (view as bug list)
Depends On: 1496492 1632385 1715572 1814668 1823764
Blocks: 1812948
TreeView+ depends on / blocked
 
Reported: 2020-03-18 14:19 UTC by Jeff Layton
Modified: 2021-10-14 15:10 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Allow associating SELinux types with CephFS Reason: Support for SELinux extended attributes on a CephFS filesystem has been added to the kernel recently. To make use of it, SELinux policy needs to be adjusted, too. Result: Any SELinux file type can now associate to a CephFS filesystem and an individual file can have a particular SELinux type assigned.
Clone Of: 1496492
Environment:
Last Closed: 2020-11-04 01:56:06 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4528 0 None None None 2020-11-04 01:56:32 UTC

Comment 1 Jeff Layton 2020-03-18 14:30:55 UTC 
This is the patch that went upstream:

commit 862368c92def52e3bccce571a46cd99dce34fc78
Author: Jeff Layton <jlayton>
Date:   Wed Oct 30 14:12:06 2019 -0400

    Allow cephfs to use xattrs for storing contexts
    
    cephfs recently gained the ability to store SELinux contexts in an xattr
    (like most local filesystems). Change the policy to allow for this.
    
    Signed-off-by: Jeff Layton <jlayton>

I am a bit concerned about breaking existing setups though. Do need some sort of transition mechanism to ensure that existing setups don't break when the policy is updated? Some thoughts:

1) can we make it so that files without a security.selinux xattr default to system_u:object_r:cephfs_t:s0, without requiring the user to mount with defcontext= ? That would probably make the transition seamless for files that preexisted the policy change, and also (probably?) on kernels that don't support security.selinux xattr.

2) do we need a new SELinux boolean (e.g. cephfs_use_xattr_context)? That might a way to allow users to opt-in if we're concerned about breaking existing setups. I'm not sure what the semantics should be there however.
Comment 2 Lukas Vrabec 2020-03-18 14:35:19 UTC 
Hi Jeff, 

What is expected here from us please? Can you make it clear? What is the target? RHEL-8.3? Can we have a meeting about it? 

Thanks,
Lukas.
Comment 14 Jeff Layton 2020-03-23 14:58:32 UTC 
Oops, I think I didn't quite get this tested correctly originally. The selinux-policy package on my centos8 box is overlaying the mount with system_u:object_r:cephfs_t:s0. Is there an updated set of selinux-policy packages I can install to test this properly?
Comment 15 Ondrej Mosnacek 2020-03-24 12:27:12 UTC 
(In reply to Jeff Layton from comment #14)
> Oops, I think I didn't quite get this tested correctly originally. The
> selinux-policy package on my centos8 box is overlaying the mount with
> system_u:object_r:cephfs_t:s0. Is there an updated set of selinux-policy
> packages I can install to test this properly?

So I finally figured out how to set up a cephfs mount on RHEL-8 and I tried it myself. It turns out I forgot to add "ceph" to another if condition... It needs to be added also to selinux_is_genfs_special_handling(). I'm currently brewing a new test kernel and then I'll re-test.

Anyway, you don't need to install new selinux-policy package to test the approach I proposed (just the kernel), as long as you run the two commands from comment #13.
Comment 16 Jeff Layton 2020-03-24 13:44:27 UTC 
Ok, great. Let me know when you have a kernel ready to go and I'll test it as well.
Comment 17 Ondrej Mosnacek 2020-03-24 14:36:14 UTC 
The kernel is now built:
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=27444099

I just tested it and it behaves exactly as intended. The existing unlabeled files show up with label cephfs_t and newly created files get a permanent label based on the parent's context (so they normally inherit the cephfs_t label). Changing file/directory labels using chcon works and the new context is applied when creating files inside a relabeled directory. This is all assuming the extra '(allow file_type cephfs_t (filesystem (associate)))' exists in the policy.

So to sum it up, we have two options:
OPTION 1 (Upstream approach):
  kernel: set CONFIG_CEPH_FS_SECURITY_LABEL=y
  policy: backport 862368c92def ("Allow cephfs to use xattrs for storing contexts")
  PROS:
    - consistency with upstream/Fedora
  CONS:
    - mounting with defcontext=... needed for unlabeled files to show up as cephfs_t as before

OPTION 2 (Approach with better backwards compat):
  kernel: set CONFIG_CEPH_FS_SECURITY_LABEL=y + add "ceph" to the list of filesystems for which combined genfs + xattrs labeling is used (RHEL-8-only patch)
  policy: add rule 'allow file_type cephfs_t:filesystem { associate };' (RHEL-8-only patch)
  PROS:
    - unlabeled CephFS trees still show up as cephfs_t (less dramatic change for customers)
  CONS:
    - differences from upstream (just a few lines of code, though)

We (the SELinux team) should have no problem supporting either option, so it's down to which is better for you (well, the CephFS customers, actually, but you should know their expectations better than us ;)
Comment 18 Jeff Layton 2020-03-25 12:48:41 UTC 
*** Bug 1767402 has been marked as a duplicate of this bug. ***
Comment 19 Jeff Layton 2020-03-25 12:57:17 UTC 
Ok, I tested 4.18.0-191.1.el8.ceph_labeling.x86_64 this morning. Looks good:

# ls -lZ
total 0
drwxr-xr-x.  2 root root unconfined_u:object_r:cephfs_t:s0  0 Mar 25 08:52 foo
drwxrwxrwx.  2 root root unconfined_u:object_r:cephfs_t:s0  0 Mar 25 08:37 scratch
drwxr-xr-x. 21 root root unconfined_u:object_r:cephfs_t:s0 57 Mar 25 08:44 test
# chcon system_u:object_r:tmpfs_t:s0 foo
# ls -lZ
total 0
drwxr-xr-x.  2 root root system_u:object_r:tmpfs_t:s0       0 Mar 25 08:52 foo
drwxrwxrwx.  2 root root unconfined_u:object_r:cephfs_t:s0  0 Mar 25 08:37 scratch
drwxr-xr-x. 21 root root unconfined_u:object_r:cephfs_t:s0 57 Mar 25 08:44 test
# mkdir foo/bar
# ls -laZ foo
total 0
drwxr-xr-x. 3 root root system_u:object_r:tmpfs_t:s0        1 Mar 25 08:53 .
drwxrwxrwt. 5 root root system_u:object_r:cephfs_t:s0       3 Mar 25 08:52 ..
drwxr-xr-x. 2 root root unconfined_u:object_r:user_tmp_t:s0 0 Mar 25 08:53 bar

...it didn't directly inherit the tmpfs_t context, but the files in /tmp all have a user_tmp_t context so I assume it did the right thing here.
Comment 20 Ondrej Mosnacek 2020-03-26 12:01:19 UTC 
(In reply to Jeff Layton from comment #19)
> ...it didn't directly inherit the tmpfs_t context, but the files in /tmp all
> have a user_tmp_t context so I assume it did the right thing here.

Yes, that's just the tmpfs_t type transition rule being applied as it should. I should've suggested a different type for testing (e.g. usr_t), but tmpfs_t works as well, just has different expected behavior.
Comment 21 Jeff Layton 2020-04-06 17:20:44 UTC 
*** Bug 1496492 has been marked as a duplicate of this bug. ***
Comment 22 Jeff Layton 2020-04-13 19:08:30 UTC 
Great. Should we transition this to a kernel bug? I've got an open "needinfo" request about QA tests for this on the other kernel bug (which just turned on the Kconfig option for security labels).

    https://bugzilla.redhat.com/show_bug.cgi?id=1814668#c9

Are there boilerplate QE tests to test SELinux enablement on filesystems, or do we need to add something special for CephFS?
Comment 23 Ondrej Mosnacek 2020-04-14 12:43:27 UTC 
(In reply to Jeff Layton from comment #22)
> Great. Should we transition this to a kernel bug?

We'll need a change in policy as well, so we need to keep this bug. I'll create a new one for the kernel change.

> I've got an open
> "needinfo" request about QA tests for this on the other kernel bug (which
> just turned on the Kconfig option for security labels).
> 
>     https://bugzilla.redhat.com/show_bug.cgi?id=1814668#c9
> 
> Are there boilerplate QE tests to test SELinux enablement on filesystems, or
> do we need to add something special for CephFS?

I have some test prepared for this (just needs some polishing), but I don't think this is big enough to be worth adding to CKI.
Comment 33 Jeff Layton 2020-08-03 17:22:34 UTC 
I may have found an issue. symlink inodes always seem to show a context of system_u:object_r:cephfs_t:s0. With a mainline kernel on f32, I see:

$ ls -alZ
total 1
drwxrwxrwt.  2 jlayton jlayton system_u:object_r:tmp_t:s0           2 Aug  3 13:16 .
drwxrwxrwt. 10 root    root    system_u:object_r:unlabeled_t:s0    10 Aug  3 13:04 ..
lrwxrwxrwx.  1 jlayton jlayton unconfined_u:object_r:user_tmp_t:s0  8 Aug  3 13:11 link -> testfile
-rw-rw-r--.  1 jlayton jlayton unconfined_u:object_r:user_tmp_t:s0  0 Jul 28 15:12 testfile


...but with the current centos8 kernels, I see:

$ ls -alZ
total 1
drwxrwxrwt.  2 jlayton jlayton system_u:object_r:tmp_t:s0           2 Aug  3 13:16 .
drwxrwxrwt. 10 root    root    system_u:object_r:cephfs_t:s0       10 Aug  3 13:04 ..
lrwxrwxrwx.  1 jlayton jlayton system_u:object_r:cephfs_t:s0        8 Aug  3 13:11 link -> testfile
-rw-rw-r--.  1 jlayton jlayton unconfined_u:object_r:user_tmp_t:s0  0 Jul 28 15:12 testfile


Note too that there is a fix going into mainline too that I haven't yet pulled into RHEL. Symlinks are currently being created without a context on cephfs:

    https://bugzilla.redhat.com/show_bug.cgi?id=1861509

Let me know if you'd rather I open a new bug for this.
Comment 34 Ondrej Mosnacek 2020-08-03 18:54:55 UTC 
(In reply to Jeff Layton from comment #33)
> I may have found an issue. symlink inodes always seem to show a context of
> system_u:object_r:cephfs_t:s0.

That is expected given the bug you mention below:

> Note too that there is a fix going into mainline too that I haven't yet
> pulled into RHEL. Symlinks are currently being created without a context on
> cephfs:

Recall that on RHEL-8 we fall back to cephfs_t instead of unlabeled_t to not potentially break existing users with files that haven't been explicitly labeled yet.

However, I think there might be another issue (in kernel/SELinux this time) that will still cause symlinks to get the wrong contexts on RHEL-8... [1] It's kind of a weird coincidence, because that bug isn't related with the Ceph one, yet they have almost the same effect :D Let me check with a scratch kernel with your fix applied and if my suspicion is confirmed, I'll file a separate BZ. Sorry for not realizing this earlier...

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7470d0d13fb680bb82b40f18831f7d4ee7a4bb62
Comment 35 Jeff Layton 2020-08-03 19:29:53 UTC 
I don't think it's really expected behavior.

To be clear, with the patch for BZ#1861509, the client creates the symlink with the correct context, as I can see it when I list it from the f32 client. It's just that the kernel on rhel8 box seems to show a context of system_u:object_r:cephfs_t:s0 on all symlinks, even when they do have an explicit context set.
Comment 36 Ondrej Mosnacek 2020-08-04 07:31:35 UTC 
Ah, I see, so if you observer the same also with your fix, then this is the symptom of the second bug... I also reproduced with my scratch builds and successfully tested a fix. I'll open a new BZ for it soon (I'll try to link it to the relevant bugs and put you in CC).
Comment 40 errata-xmlrpc 2020-11-04 01:56:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528
Comment 41 Dan Yocum 2021-08-26 17:55:32 UTC 
What version of OCP did this RHBA make it into?
Comment 42 Scott Dodson 2021-10-14 15:10:25 UTC 
(In reply to Dan Yocum from comment #41)
> What version of OCP did this RHBA make it into?

Dan,

This made RHEL 8.3 GA so it'd be in 4.7 GA and newer.
Note You need to log in before you can comment on or make changes to this bug.