summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNiels de Vos <ndevos@redhat.com>2016-07-04 12:45:18 +0200
committerNiels de Vos <ndevos@redhat.com>2016-07-07 05:06:33 -0700
commit39154a0e0cc6cf6e77ff93de31c77a74771afa93 (patch)
treea5604579c7a6879999e2bfb0a130e34ccd508ad8
parentfb899d3ef58319e3f583e6abcea52b6b0e47b73b (diff)
SELinux: add notes about the context/type for brick contents
Contents on the bricks should have the file-type glusterd_brick_t. Add some notes on how this is managed. Change-Id: Ied7e9c22f04483ddfcbe082436ef02bdd46938ae Signed-off-by: Niels de Vos <ndevos@redhat.com> Reviewed-on: http://review.gluster.org/14853 Reviewed-by: Manikandan Selvaganesh <mselvaga@redhat.com> Reviewed-by: jiffin tony Thottan <jthottan@redhat.com>
-rw-r--r--accepted/SELinux-client-support.md19
1 files changed, 17 insertions, 2 deletions
diff --git a/accepted/SELinux-client-support.md b/accepted/SELinux-client-support.md
index 4942be5..a3eaff8 100644
--- a/accepted/SELinux-client-support.md
+++ b/accepted/SELinux-client-support.md
@@ -77,12 +77,22 @@ Labelled-NFS.
#### Implications on persistence layer
-None.
+Once the feature is active, the brick processes may not access files that have
+a different type than `glusterd_brick_t`. Environments that have contents of
+the bricks with a different target security context type, will not be allowed
+to access the contents. This means that upgrades from previous version need to
+make sure that the contents of the bricks get re-labelled correctly. A command
+like this is needed for all bricks (assuming `/bricks/volume/b1` is displayed
+as a brick path in `gluster volume info`):
+ # chcon -t glusterd_brick_t /bricks/volume/b1
#### Implications on 'GlusterFS' backend
-None.
+If the filesystem used for the bricks supports SELinux labels, the type of the
+target security context of the contents on the bricks will be set to
+`glusterd_brick_t`. The brick processes will not be allowed to access files
+with a different type.
#### Modification to GlusterFS metadata
@@ -96,6 +106,11 @@ attribute is converted to/from `security.selinux` on the client-side.
A new `features/selinux` xlator will need to be inserted in the graph on the
server-side.
+Once a new volume is created, the directories for the bricks should get the
+`glusterd_brick_t` target security context type in case SELinux on the storage
+server is available. This will be handled by a hook-script in the create/post
+event.
+
#### How To Test