Hello,
On Apr 19, 2013, at 18:12 , Olivier Mauras wrote:
> On 2013-04-19 17:29, Fabrice BOYRIE wrote:
>> [...]
>> Bigger one: problem with selinux
>> When I mount zfs volume, I've the following errors:
>> SELinux: initialized (dev zfs, type zfs), not configured for labeling
>> and even root can't write on the disk
>>
>> I've modified selinux-policy srpm adding the following patch
>> policy-zfs.patch
>>
>> diff -Nur nsaserefpolicy/policy/modules/kernel/filesystem.te
>> serefpolicy-3.7.19/policy/modules/kernel/filesystem.te
>> --- aserefpolicy/policy/modules/kernel/filesystem.te 2010-04-13
>> 20:44:37.000000000 +0200
>> +++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2013-04-19
>> 17:30:43.952120437 +0200
>> @@ -21,6 +21,7 @@
>>
>> # Use xattrs for the following filesystem types.
>> # Requires that a security xattr handler exist for the filesystem.
>> +fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
>> fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
>> fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
>> fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
>>
>> With this patch applied, selinux seems working (I can write and i can use
>> chcon). But at next update, it will breaks. And I don't understand enough
>> selinux to make a specific module.
>>
>> How solves this problems ?
>>
>> Thanks in advance
>>
>> Fabrice BOYRIE
>>
> Hello Fabrice,
>
> While the patch is simple, the filesystem module is quite complicated and it would require quite some work to make a standalone module only for ZFS.
> Sadly for now i think that it's simpler to patch the actual package than anything else
depending on your definition of "simple", mounting with "fscontext=" may actually be simpler. And it will work across policy updates.
> and as long as the upstream vendor doesn't explicitely support ZFS in their SELinux rule, you/we'll have to continue use a patched package.
If you believe the above patch is sufficient (I don't quite get the "Requires that a security xattr handler exist for the filesystem" part), filing a BZ with TUV would probably make sense.
Regards,
Stephan
> Regards,
> Olivier
>
>
--
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany
|