Project

General

Profile

Feature #13231

kclient: support SELinux

Added by Huamin Chen about 3 years ago. Updated 6 months ago.

Status:
Duplicate
Priority:
High
Assignee:
-
Category:
-
Target version:
Start date:
09/24/2015
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
Reviewed:
Affected Versions:
Component(FS):
kceph
Labels (FS):
task(medium)
Pull request ID:

Description

I cannot set selinux labbels on ceph mount.

Environment:
[root@host16-rack08 ~]# modinfo ceph
filename: /lib/modules/3.10.0-229.7.2.el7.x86_64/kernel/fs/ceph/ceph.ko
license: GPL
description: Ceph filesystem for Linux
author: Patience Warnick <>
author: Yehuda Sadeh <>
author: Sage Weil <>
alias: fs-ceph
rhelversion: 7.1
srcversion: 2086D500AFAF47B7260E08A
depends: libceph
intree: Y
vermagic: 3.10.0-229.7.2.el7.x86_64 SMP mod_unload modversions
signer: Red Hat Enterprise Linux kernel signing key
sig_key: 27:3C:C8:38:6D:A0:EE:8F:0E:C6:C6:F4:20:E2:4D:7B:AF:35:A9:78
sig_hashalgo: sha256

Here is my cephfs mountpoint:
[root@host16-rack08 ~]# mount |grep ceph
10.1.4.118:6789:/ on /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs type ceph (rw,relatime,name=kube,secret=<hidden>,nodcache)

Applying selinux label just failed:
[root@host16-rack08 ~]# setfattr -n security.selinux -v system_u:object_r:svirt_sandbox_file_t:s0 /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs
setfattr: /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs: Operation not supported

Yet if I use a fake security label, it passed:
[root@host16-rack08 ~]# setfattr -n security.foo -v system_u:object_r:svirt_sandbox_file_t:s0 /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs
[root@host16-rack08 ~]# getfattr -d /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs -m -getfattr: Removing leading '/' from absolute path names
  1. file: var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs
    ceph.dir.entries="4"
    ceph.dir.files="4"
    ceph.dir.rbytes="0"
    ceph.dir.rctime="0.090"
    ceph.dir.rentries="1"
    ceph.dir.rfiles="0"
    ceph.dir.rsubdirs="1"
    ceph.dir.subdirs="0"
    security.foo="system_u:object_r:svirt_sandbox_file_t:s0"

Related issues

Duplicates fs - Feature #5486: kclient: make it work with selinux New 07/01/2013

History

#1 Updated by Greg Farnum about 3 years ago

See #5486, #1878, and others in the tracker — I think CephFS is ready for support now, but SELinux needs to get modified itself in order to accept us as a filesystem?

#2 Updated by Huamin Chen about 3 years ago

Greg, from the first 2nd test, ceph fs was able to set xattr (thanks to #1878). But ceph failed to set security.security in my 1st setfattr test.

#3 Updated by Huamin Chen about 3 years ago

IMHO, it might be the missing hooks like security_inode_init_security() calls.

#4 Updated by Patrick Donnelly 6 months ago

  • Tracker changed from Bug to Feature
  • Project changed from Linux kernel client to fs
  • Subject changed from ceph fs doesn't support selinux to kclient: support SELinux
  • Priority changed from Normal to High
  • Target version set to v14.0.0
  • Component(FS) kceph added
  • Labels (FS) task(medium) added

#5 Updated by Patrick Donnelly 6 months ago

  • Status changed from New to Duplicate

#6 Updated by Patrick Donnelly 6 months ago

  • Duplicates Feature #5486: kclient: make it work with selinux added

Also available in: Atom PDF