This list has been deprecated. Please subscribe to the new devel list at
lists.nfs-ganesha.org.
Thank you so much Jiffin for the quick response!
-Janak
________________________________
From: Jiffin Thottan <jthot...@redhat.com>
Sent: Thursday, June 20, 2019 11:58:52 PM
To: Desai, Janak
Cc: Gluster Devel; nfs-ganesha-devel
Subject: Re: Quick question about the latest glusterfs and client side selinux
support
Hi Janak,
Currently, it is supported in glusterfs(from 2.8 onwards) and cephfs(already
there in 2.7) for nfs-ganesha.
--
Jiffin
----- Original Message -----
From: "Janak Desai" <janak.de...@gtri.gatech.edu>
To: "Jiffin Tony Thottan" <jthot...@redhat.com>
Sent: Thursday, June 20, 2019 9:29:09 PM
Subject: Re: Quick question about the latest glusterfs and client side selinux
support
Hi Jiffin,
I came across your presentation “NFS-Ganesha Weather Report” that you gave at
the FOSDEM’19 in early Feb this year. In that you mentioned that ongoing
developments in v2.8 include “labelled NFS” support. I see that v2.8 is now
out. Do you know if labelled NFS support made it in? If it did, is it only
supported in CEPHFS FSAL or any other FSALs also include the support for it? I
took a cursory look at the release documents and didn’t see Labelled NFS in it,
so thought I would bug you directly.
Thanks.
-Janak
From: Jiffin Tony Thottan <jthot...@redhat.com>
Date: Tuesday, August 28, 2018 at 12:50 AM
To: Janak Desai <janak.de...@gtri.gatech.edu>, "nde...@redhat.com"
<nde...@redhat.com>, "mselv...@redhat.com" <mselv...@redhat.com>
Cc: "p...@paul-moore.com" <p...@paul-moore.com>
Subject: Re: Quick question about the latest glusterfs and client side selinux
support
Hi Janak,
Thanks for the interest. Basic selinux xlator is present at gluster server
stack. It stores selinux context at the backend as a xattr. When we developed
that xlator,
at that point they were no client to test the functionality. Don't know whether
required change in fuse got merged or not. As you mentioned ,here first we
need to figure out
whether issue is related to server. Can collect the packet trace using tcpdump
from client and sent with mail during setting/getting selinux context.
Regards,
Jiffin
On Tuesday 28 August 2018 04:14 AM, Desai, Janak wrote:
Hi Niels, Manikandan, Jiffin,
I work for Georgia Tech Research Institute’s CIPHER Lab and am investigating
suitability of glusterfs for a couple of large upcoming projects. My ‘google
research’ is yielding confusing and inconclusive results, so I thought I would
try and reach out to some of the core developers to get some clarity.
We use SELinux extensively in our software solution. I am trying to find out
if, with the latest version 4.1 of glusterfs running on the latest version of
rhel, I should be able to associate and enforce selinux contexts from glusterfs
clients. I see in the 3.11 release notes that the selinux feature was
implemented but then I also see references to kernel work that is not done yet.
I also could not find any documentation/examples on how to add/integrate this
selinux translator to setup and enforce selinux labels from the client side. In
my simple test setup, which I mounted using the “selinux” option (which gluster
does seem to recognize), I am getting the “operation not supported” error. I
guess either I am not pulling in the selinux translator or I am running up
against other missing functionality in the kernel. I would really appreciate if
you could clear this up for me. If I am not configuring my mount correctly, I
would appreciate if you could point me to a document or an example. Our other
option is lustre filesystem since it does have a working client side
association and enforcement of selinux contexts. However, lustre appears to be
lot difficult to setup and maintain and I would rather use glusterfs. We need a
distributed (or parallel) filesystem that can work with Hadoop. If glusterfs
doesn’t pan out then I will look at labelled nfs 4.2 that is now available in
rhel7. However, my google research shows much more Hadoop affinity for
glusterfs than nfs v4.
I am also copying Paul Moore, with whom I collaborated a few years ago as part
of the team that took Linux through its common criteria evaluation, and who I
haven’t bugged lately ☺, to see if he can shed some light any missing kernel
dependencies. I am currently testing with rhel7.5, but would be willing to try
upstream kernel if have to get this proof of concept going. I know the
underlying problem in the kernel is supporting extended attrs on FUSE file
systems, but was wondering (and hoping) that at least setup/enforcement of
selinux contexts from client side for glusterfs is possible.
Thanks.
-Janak
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
