GlusterFS with native FUSE client doesn't support xattr / SELinux labeling. Steps to Reproduce: 1. mount -t glusterfs -o selinux host:/gv1 /gv1 2. chcon -t default_t /gv1/input.txt Actual results: chcon: failed to change context of /gv1/input.txt to system_u:object_r:default_t:s0: Operation not supported Expected results: no error Additional info: SELinux is running in Permissive mode.
Attempting to duplicate this by setting the security.selinux attribute using setfattr, the attribute call never makes it to glusterfs. It appears this must be being blocked in the kernel fuse module.
This is not an issue that glusterfs-fuse can solve. SElinux in the kernel needs to detect if the filesystem supports SElinux. Not all fuse filesystems offer this support, so SElinux is not enabled for any fuse filesystem at the moment. There is a task for the SElinux kernel devs to improve the handling of sub-filesystems, like "glusterfs" is a sub-filesystem of "fuse". When this feature is available in the kernel, Gluster can benefit from it and we should test again. More details about the kernel side of things are in bug 1272868.
There are several parts that need to get done before it is possible to set an SELinux context over FUSE mounts. We are working on getting the changes in the core Gluster part done for glusterfs-3.8.0 (see bug 1318100). More details can be found in this email: http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/13071 There is no chance that this gets backported to glusterfs-3.7.x, so I'm setting the version to 'mainline' for now.
*** Bug 1596918 has been marked as a duplicate of this bug. ***
Migrated to github: https://github.com/gluster/glusterfs/issues/593 Please follow the github issue for further updates on this bug.