Feature #13231
closedkclient: support SELinux
0%
Description
I cannot set selinux labbels on ceph mount.
Environment:
[root@host16-rack08 ~]# modinfo ceph
filename: /lib/modules/3.10.0-229.7.2.el7.x86_64/kernel/fs/ceph/ceph.ko
license: GPL
description: Ceph filesystem for Linux
author: Patience Warnick <patience@newdream.net>
author: Yehuda Sadeh <yehuda@hq.newdream.net>
author: Sage Weil <sage@newdream.net>
alias: fs-ceph
rhelversion: 7.1
srcversion: 2086D500AFAF47B7260E08A
depends: libceph
intree: Y
vermagic: 3.10.0-229.7.2.el7.x86_64 SMP mod_unload modversions
signer: Red Hat Enterprise Linux kernel signing key
sig_key: 27:3C:C8:38:6D:A0:EE:8F:0E:C6:C6:F4:20:E2:4D:7B:AF:35:A9:78
sig_hashalgo: sha256
Here is my cephfs mountpoint:
[root@host16-rack08 ~]# mount |grep ceph
10.1.4.118:6789:/ on /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs type ceph (rw,relatime,name=kube,secret=<hidden>,nodcache)
Applying selinux label just failed:
[root@host16-rack08 ~]# setfattr -n security.selinux -v system_u:object_r:svirt_sandbox_file_t:s0 /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs
setfattr: /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs: Operation not supported
[root@host16-rack08 ~]# setfattr -n security.foo -v system_u:object_r:svirt_sandbox_file_t:s0 /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs
[root@host16-rack08 ~]# getfattr -d /var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs -m -getfattr: Removing leading '/' from absolute path names
- file: var/lib/openshift/openshift.local.volumes/pods/2a79c5b9-62da-11e5-b8c5-b8ca3a627d6c/volumes/kubernetes.io~cephfs/cephfs
ceph.dir.entries="4"
ceph.dir.files="4"
ceph.dir.rbytes="0"
ceph.dir.rctime="0.090"
ceph.dir.rentries="1"
ceph.dir.rfiles="0"
ceph.dir.rsubdirs="1"
ceph.dir.subdirs="0"
security.foo="system_u:object_r:svirt_sandbox_file_t:s0"
Updated by Greg Farnum over 8 years ago
Updated by Huamin Chen over 8 years ago
Greg, from the first 2nd test, ceph fs was able to set xattr (thanks to #1878). But ceph failed to set security.security in my 1st setfattr test.
Updated by Huamin Chen over 8 years ago
IMHO, it might be the missing hooks like security_inode_init_security() calls.
Updated by Patrick Donnelly almost 6 years ago
- Tracker changed from Bug to Feature
- Project changed from Linux kernel client to CephFS
- Subject changed from ceph fs doesn't support selinux to kclient: support SELinux
- Priority changed from Normal to High
- Target version set to v14.0.0
- Component(FS) kceph added
- Labels (FS) task(medium) added
Updated by Patrick Donnelly almost 6 years ago
- Status changed from New to Duplicate
Updated by Patrick Donnelly almost 6 years ago
- Is duplicate of Feature #5486: kclient: make it work with selinux added