Actions
Bug #4241
closedSELinux fails because it can't set xattrs
Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Community (user)
Tags:
Backport:
Regression:
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
kceph
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Here I change the label on a random file in /tmp
# strace chcon --reference=test afile
<snip>
And here I try the same on cephfs filesystem
# strace chcon --reference=test afile
execve("/usr/bin/chcon", ["chcon", "--reference=test", "afile"], [/* 30 vars */]) = 0
brk(0) = 0x24a4000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913992000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=107608, ...}) = 0
mmap(NULL, 107608, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4913977000
close(3) = 0
open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0pa o;\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=136440, ...}) = 0
mmap(0x3b6f200000, 2234408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f200000
mprotect(0x3b6f21f000, 2093056, PROT_NONE) = 0
mmap(0x3b6f41e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0x3b6f41e000
mmap(0x3b6f420000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3b6f420000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\33\302\0257\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2071376, ...}) = 0
mmap(0x3715c00000, 3896312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3715c00000
mprotect(0x3715dad000, 2097152, PROT_NONE) = 0
mmap(0x3715fad000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x3715fad000
mmap(0x3715fb3000, 17400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3715fb3000
close(3) = 0
open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\35`o;\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=388152, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913976000
mmap(0x3b6f600000, 2478664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f600000
mprotect(0x3b6f65c000, 2097152, PROT_NONE) = 0
mmap(0x3b6f85c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5c000) = 0x3b6f85c000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0267\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22440, ...}) = 0
mmap(0x3716000000, 2109736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3716000000
mprotect(0x3716003000, 2093056, PROT_NONE) = 0
mmap(0x3716202000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3716202000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913975000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913973000
arch_prctl(ARCH_SET_FS, 0x7f49139737c0) = 0
mprotect(0x60d000, 4096, PROT_READ) = 0
mprotect(0x3b6f41e000, 4096, PROT_READ) = 0
mprotect(0x3715fad000, 16384, PROT_READ) = 0
mprotect(0x3b6f85c000, 4096, PROT_READ) = 0
mprotect(0x3716202000, 4096, PROT_READ) = 0
mprotect(0x3715a20000, 4096, PROT_READ) = 0
munmap(0x7f4913977000, 107608) = 0
statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
brk(0) = 0x24a4000
brk(0x24c5000) = 0x24c5000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=104789808, ...}) = 0
mmap(NULL, 104789808, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f490d583000
close(3) = 0
getxattr("test", "security.selinux", "system_u:object_r:unlabeled_t:s0", 255) = 33
open("/sys/fs/selinux/mls", O_RDONLY) = 3
read(3, "1", 19) = 1
close(3) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
newfstatat(AT_FDCWD, "afile", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
setxattr("afile", "security.selinux", "system_u:object_r:unlabeled_t:s0", 33, 0) = -1 EOPNOTSUPP (Operation not supported)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2444, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913991000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2444
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4913991000, 4096) = 0
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
write(2, "chcon: ", 7chcon: ) = 7
write(2, "failed to change context of \342\200\230a"..., 81failed to change context of ‘afile’ to ‘system_u:object_r:unlabeled_t:s0’) = 81
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": Operation not supported", 25: Operation not supported) = 25
write(2, "\n", 1
) = 1
close(1) = 0
close(2) = 0
exit_group(1) = ?
+++ exited with 1 +++
Note the return of EOPNOTSUPP from the xattr call. I've been through the ceph xattr code and it looks right to me; the security namespace is allowed through on the checks that return EOPNOTSUPP, and it sure looks like the functions are wired up correctly. But I haven't tried reproducing at any level.
Updated by Zheng Yan about 11 years ago
- Status changed from New to Duplicate
This is the same problem as #1878 (ceph_symlink_iops doesn't have setattr method)
Updated by Carl-Johan Schenström almost 11 years ago
Are you sure about that? ceph_file_iops hasn't been changed since 2009, and the methods are there. The problem still occurs with ceph.ko from master as of two days ago. Same strace as above, both in enforcing and permissive mode.
As I understand it, Ceph must be added to the base policy for SELinux to work. Full xattr support would be nice, but genfs would suffice. Unfortunately, passing the context option to mount, or even adding a genfscon to filesystem.te, doesn't seem to work. With the context option, I get the following error:
SELinux: security_context_to_sid(system_u:object_r:nfs_t,s0) failed for (dev ceph, type ceph) errno=-22
Actions