LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Problems with zfs on linux
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Fri, 19 Apr 2013 20:43:56 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

Hello,

On Apr 19, 2013, at 18:12 , Olivier Mauras wrote:

> On 2013-04-19 17:29, Fabrice BOYRIE wrote:
>> [...]
>> Bigger one: problem with selinux
>> When I mount zfs volume, I've the following errors:
>> SELinux: initialized (dev zfs, type zfs), not configured for labeling
>> and even root can't write on the disk
>>   
>> I've modified selinux-policy srpm adding the following patch
>> policy-zfs.patch 
>> 
>> diff -Nur nsaserefpolicy/policy/modules/kernel/filesystem.te
>> serefpolicy-3.7.19/policy/modules/kernel/filesystem.te
>> --- aserefpolicy/policy/modules/kernel/filesystem.te       2010-04-13
>> 20:44:37.000000000 +0200
>> +++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te       2013-04-19
>> 17:30:43.952120437 +0200
>> @@ -21,6 +21,7 @@
>>  
>>  # Use xattrs for the following filesystem types.
>>  # Requires that a security xattr handler exist for the filesystem.
>> +fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
>>  fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
>>  fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
>>  fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
>> 
>> With this patch applied, selinux seems working (I can write and i can use
>> chcon). But at next update, it will breaks. And I don't understand enough
>> selinux to make a specific module.
>> 
>>   How solves this problems ?
>> 
>> Thanks in advance
>> 
>> Fabrice BOYRIE
>> 
> Hello Fabrice,
> 
> While the patch is simple, the filesystem module is quite complicated and it would require quite some work to make a standalone module only for ZFS.
> Sadly for now i think that it's simpler to patch the actual package than anything else

depending on your definition of "simple", mounting with "fscontext=" may actually be simpler. And it will work across policy updates.

> and as long as the upstream vendor doesn't explicitely support ZFS in their SELinux rule, you/we'll have to continue use a patched package.

If you believe the above patch is sufficient (I don't quite get the "Requires that a security xattr handler exist for the filesystem" part), filing a BZ with TUV would probably make sense.

Regards,
	Stephan

> Regards,
> Olivier
> 
>  

-- 
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV