On 2013-04-19 20:43, Stephan Wiesand wrote:
> Hello, > > On Apr 19, 2013, at 18:12 , Olivier Mauras wrote: > >> On 2013-04-19 17:29, Fabrice BOYRIE wrote: >> >>> [...] Bigger one: problem with selinux When I mount zfs volume, I've the following errors: SELinux: initialized (dev zfs, type zfs), not configured for labeling and even root can't write on the disk I've modified selinux-policy srpm adding the following patch policy-zfs.patch diff -Nur nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.19/policy/modules/kernel/filesystem.te --- aserefpolicy/policy/modules/kernel/filesystem.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2013-04-19 17:30:43.952120437 +0200 @@ -21,6 +21,7 @@ # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. +fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); With this patch applied, selinux seems working (I can write and i can use chcon). But at next update, it will breaks. And I don't understand enough selinux to make a specific module. How solves this problems ? Thanks in advance Fabrice BOYRIE >> Hello Fabrice, While the patch is simple, the filesystem module is quite complicated and it would require quite some work to make a standalone module only for ZFS. Sadly for now i think that it's simpler to patch the actual package than anything else > > depending on your definition of "simple", mounting with "fscontext=" may actually be simpler. And it will work across policy updates. > >> and as long as the upstream vendor doesn't explicitely support ZFS in their SELinux rule, you/we'll have to continue use a patched package. > > If you believe the above patch is sufficient (I don't quite get the "Requires that a security xattr handler exist for the filesystem" part), filing a BZ with TUV would probably make sense. > > Regards, > Stephan > Regards, Olivier > > -- Stephan Wiesand DESY -DV- Platanenenallee> AFAIK zfs doesn't support the fscontext mount option.
