Project

General

Profile

Feature #5486

kclient: make it work with selinux

Added by Sage Weil almost 7 years ago. Updated 4 days ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
-
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Reviewed:
Affected Versions:
Component(FS):
kceph
Labels (FS):
task(hard)
Pull request ID:

Description

see #5477 for the latest failed attempt


Related issues

Duplicated by fs - Feature #13231: kclient: support SELinux Duplicate 09/24/2015

History

#1 Updated by Greg Farnum about 6 years ago

I don't know anything about SELinux, nor its users. What needs to work for us to support SELinux, and how big of a stumbling block is it for RHEL7 systems if we don't support SELinux?

#2 Updated by Greg Farnum about 6 years ago

  • Priority changed from Normal to High

Hmm, Sage notes that maybe it'll work now we support ACLs. Or maybe we can use a special mount option?

#3 Updated by Greg Farnum over 5 years ago

  • Tracker changed from Bug to Feature

#4 Updated by Zheng Yan over 5 years ago

I think cephfs part is ready for selinux support. but ceph is not included in selinux policy.

#5 Updated by Greg Farnum over 3 years ago

  • Component(FS) kceph added

#6 Updated by Greg Farnum over 3 years ago

  • Category changed from 53 to Administration/Usability

#7 Updated by Patrick Donnelly almost 2 years ago

  • Target version set to v14.0.0
  • Labels (FS) task(hard) added

#8 Updated by Patrick Donnelly almost 2 years ago

  • Priority changed from High to Normal

#9 Updated by Patrick Donnelly almost 2 years ago

#10 Updated by Patrick Donnelly about 1 year ago

  • Target version changed from v14.0.0 to v15.0.0

#11 Updated by Patrick Donnelly about 1 year ago

  • Target version deleted (v15.0.0)

#12 Updated by Patrick Donnelly 10 months ago

  • Category deleted (Administration/Usability)
  • Status changed from New to In Progress
  • Assignee set to Zheng Yan
  • Priority changed from Normal to Urgent
  • Start date deleted (07/01/2013)

[PATCH 1/2] ceph: rename struct ceph_acls_info to ceph_acl_sec_ctx
[PATCH 2/2] ceph: add selinux support

#13 Updated by Patrick Donnelly 10 months ago

  • Target version set to v15.0.0

Targeting Octopus so it shows up in searches.

#14 Updated by Patrick Donnelly 2 months ago

  • Target version deleted (v15.0.0)

#15 Updated by Zheng Yan 4 days ago

  • Status changed from In Progress to Resolved

upstreamed

commit ac6713ccb5a6d13b59a2e3fda4fb049a2c4e0af2
Author: Yan, Zheng <>
Date: Sun May 26 16:27:56 2019 +0800

ceph: add selinux support
When creating new file/directory, use security_dentry_init_security() to
prepare selinux context for the new inode, then send openc/mkdir request
to MDS, together with selinux xattr.
security_dentry_init_security() only supports single security module and
only selinux has dentry_init_security hook. So only selinux is supported
for now. We can add support for other security modules once kernel has a
generic version of dentry_init_security()
Signed-off-by: "Yan, Zheng" &lt;&gt;
Reviewed-by: Jeff Layton &lt;&gt;
Signed-off-by: Ilya Dryomov &lt;&gt;

Also available in: Atom PDF