summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorManikandan Selvaganesh <mselvaga@redhat.com>2016-03-16 21:37:22 +0530
committerNiels de Vos <ndevos@redhat.com>2017-05-03 09:34:11 +0000
commit6484558c7502e5afe1c96081dbe329ca5d9cb7e2 (patch)
tree82f055d8e6db4c75b6800d545e5ca8a91cffa9b4
parent41000cd0b57a81c4ace4a1d3da0fcc352a11f146 (diff)
SELinux : implementation of SELinux translator
The patch implement a part of SELinux translator to support setting SELinux contexts on files in a glusterfs volume. URL: https://github.com/gluster/glusterfs-specs/blob/master/accepted/SELinux-client-support.md Change-Id: Id8916bd8e064ccf74ba86225ead95f86dc5a1a25 BUG: 1318100 Fixes : #55 Signed-off-by: Manikandan Selvaganesh <mselvaga@redhat.com> Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com> Signed-off-by: Niels de Vos <ndevos@redhat.com> Reviewed-on: https://review.gluster.org/13762 Smoke: Gluster Build System <jenkins@build.gluster.org> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Manikandan Selvaganesh <manikandancs333@gmail.com> Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
-rw-r--r--configure.ac2
-rw-r--r--glusterfs.spec.in1
-rw-r--r--libglusterfs/src/glfs-message-id.h8
-rw-r--r--xlators/features/Makefile.am2
-rw-r--r--xlators/features/selinux/Makefile.am3
-rw-r--r--xlators/features/selinux/src/Makefile.am19
-rw-r--r--xlators/features/selinux/src/selinux-mem-types.h20
-rw-r--r--xlators/features/selinux/src/selinux-messages.h98
-rw-r--r--xlators/features/selinux/src/selinux.c324
-rw-r--r--xlators/features/selinux/src/selinux.h24
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volgen.c30
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volgen.h1
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volume-set.c11
13 files changed, 536 insertions, 7 deletions
diff --git a/configure.ac b/configure.ac
index b181841ad17..4ffbcc83ef4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -147,6 +147,8 @@ AC_CONFIG_FILES([Makefile
xlators/features/quota/src/Makefile
xlators/features/marker/Makefile
xlators/features/marker/src/Makefile
+ xlators/features/selinux/Makefile
+ xlators/features/selinux/src/Makefile
xlators/features/read-only/Makefile
xlators/features/read-only/src/Makefile
xlators/features/compress/Makefile
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
index fb5f35971ac..65e684be320 100644
--- a/glusterfs.spec.in
+++ b/glusterfs.spec.in
@@ -1213,6 +1213,7 @@ exit 0
%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/snapview-server.so
%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/marker.so
%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/quota*
+%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/selinux.so
%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/trash.so
%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/upcall.so
%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/leases.so
diff --git a/libglusterfs/src/glfs-message-id.h b/libglusterfs/src/glfs-message-id.h
index f4adbfbff2c..f14b0fb0818 100644
--- a/libglusterfs/src/glfs-message-id.h
+++ b/libglusterfs/src/glfs-message-id.h
@@ -145,7 +145,7 @@
GLFS_MSGID_SEGMENT)
#define GLFS_MSGID_COMP_SYMLINK_CACHE \
-GLFS_MSGID_COMP_READDIR_AHEAD_END
+ GLFS_MSGID_COMP_READDIR_AHEAD_END
#define GLFS_MSGID_COMP_SYMLINK_CACHE_END \
(GLFS_MSGID_COMP_SYMLINK_CACHE+ \
GLFS_MSGID_SEGMENT)
@@ -191,6 +191,12 @@ GLFS_MSGID_COMP_SYMLINK_CACHE_END
#define GLFS_MSGID_COMP_NLC_END (GLFS_MSGID_COMP_NLC +\
GLFS_MSGID_SEGMENT)
+#define GLFS_MSGID_COMP_SL GLFS_MSGID_COMP_NLC
+#define GLFS_MSGID_COMP_SL_END (GLFS_MSGID_COMP_SL +\
+ GLFS_MSGID_SEGMENT)
+
+
+
/* --- new segments for messages goes above this line --- */
#endif /* !_GLFS_MESSAGE_ID_H_ */
diff --git a/xlators/features/Makefile.am b/xlators/features/Makefile.am
index 3cc34c9379f..f7791b0cc32 100644
--- a/xlators/features/Makefile.am
+++ b/xlators/features/Makefile.am
@@ -1,6 +1,6 @@
SUBDIRS = locks quota read-only quiesce marker index barrier \
arbiter compress changelog changetimerecorder \
gfid-access $(GLUPY_SUBDIR) upcall snapview-client snapview-server \
- trash shard bit-rot leases
+ trash shard bit-rot leases selinux
CLEANFILES =
diff --git a/xlators/features/selinux/Makefile.am b/xlators/features/selinux/Makefile.am
new file mode 100644
index 00000000000..a985f42a877
--- /dev/null
+++ b/xlators/features/selinux/Makefile.am
@@ -0,0 +1,3 @@
+SUBDIRS = src
+
+CLEANFILES =
diff --git a/xlators/features/selinux/src/Makefile.am b/xlators/features/selinux/src/Makefile.am
new file mode 100644
index 00000000000..34105d2a45b
--- /dev/null
+++ b/xlators/features/selinux/src/Makefile.am
@@ -0,0 +1,19 @@
+xlator_LTLIBRARIES = selinux.la
+
+xlatordir = $(libdir)/glusterfs/$(PACKAGE_VERSION)/xlator/features
+
+selinux_la_LDFLAGS = -module $(GF_XLATOR_DEFAULT_LDFLAGS)
+
+selinux_la_SOURCES = selinux.c
+
+selinux_la_LIBADD = $(top_builddir)/libglusterfs/src/libglusterfs.la
+
+noinst_HEADERS = selinux.h selinux-messages.h selinux-mem-types.h
+
+AM_CPPFLAGS = $(GF_CPPFLAGS) -I$(top_srcdir)/libglusterfs/src \
+ -I$(top_srcdir)/rpc/xdr/src -I$(top_builddir)/rpc/xdr/src
+
+AM_CFLAGS = -Wall $(GF_CFLAGS)
+
+CLEANFILES =
+
diff --git a/xlators/features/selinux/src/selinux-mem-types.h b/xlators/features/selinux/src/selinux-mem-types.h
new file mode 100644
index 00000000000..f9f356dd39a
--- /dev/null
+++ b/xlators/features/selinux/src/selinux-mem-types.h
@@ -0,0 +1,20 @@
+/*
+ Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com>
+ This file is part of GlusterFS.
+
+ This file is licensed to you under your choice of the GNU Lesser
+ General Public License, version 3 or any later version (LGPLv3 or
+ later), or the GNU General Public License, version 2 (GPLv2), in all
+ cases as published by the Free Software Foundation.
+*/
+#ifndef __SELINUX_MEM_TYPES_H__
+#define __SELINUX_MEM_TYPES_H__
+
+#include "mem-types.h"
+
+enum gf_selinux_mem_types_ {
+ gf_selinux_mt_selinux_priv_t = gf_common_mt_end + 1,
+ gf_selinux_mt_end
+};
+#endif
+
diff --git a/xlators/features/selinux/src/selinux-messages.h b/xlators/features/selinux/src/selinux-messages.h
new file mode 100644
index 00000000000..a498dc21471
--- /dev/null
+++ b/xlators/features/selinux/src/selinux-messages.h
@@ -0,0 +1,98 @@
+/*
+ Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com>
+ This file is part of GlusterFS.
+
+ This file is licensed to you under your choice of the GNU Lesser
+ General Public License, version 3 or any later version (LGPLv3 or
+ later), or the GNU General Public License, version 2 (GPLv2), in all
+ cases as published by the Free Software Foundation.
+*/
+
+#ifndef _SELINUX_MESSAGES_H__
+#define _SELINUX_MESSAGES_H__
+
+#include "glfs-message-id.h"
+
+/*! \file selinux-messages.h
+ * \brief Selinux log-message IDs and their descriptions
+ */
+
+/* NOTE: Rules for message additions
+ * 1) Each instance of a message is _better_ left with a unique message ID, even
+ * if the message format is the same. Reasoning is that, if the message
+ * format needs to change in one instance, the other instances are not
+ * impacted or the new change does not change the ID of the instance being
+ * modified.
+ * 2) Addition of a message,
+ * - Should increment the GLFS_NUM_MESSAGES
+ * - Append to the list of messages defined, towards the end
+ * - Retain macro naming as glfs_msg_X (for readability across developers)
+ * NOTE: Rules for message format modifications
+ * 3) Check acorss the code if the message ID macro in question is reused
+ * anywhere. If reused then then the modifications should ensure correctness
+ * everywhere, or needs a new message ID as (1) above was not adhered to. If
+ * not used anywhere, proceed with the required modification.
+ * NOTE: Rules for message deletion
+ * 4) Check (3) and if used anywhere else, then cannot be deleted. If not used
+ * anywhere, then can be deleted, but will leave a hole by design, as
+ * addition rules specify modification to the end of the list and not filling
+ * holes.
+ */
+
+#define GLFS_SL_BASE GLFS_MSGID_COMP_SL
+#define GLFS_SL_NUM_MESSAGES 5
+#define GLFS_SL_MSGID_END (GLFS_SL_BASE + GLFS_NUM_MESSAGES + 1)
+/* Messages with message IDs */
+#define glfs_msg_start_x GLFS_SL_BASE, "Invalid: Start of messages"
+/*------------*/
+
+#define SL_MSG_INVALID_VOLFILE (GLFS_SL_BASE + 1)
+
+/*!
+ * @messageid
+ * @diagnosis
+ * @recommendedaction
+ *
+ */
+
+#define SL_MSG_ENOMEM (GLFS_SL_BASE + 2)
+
+/*!
+ * @messageid
+ * @diagnosis
+ * @recommendedaction
+ *
+ */
+
+#define SL_MSG_MEM_ACCT_INIT_FAILED (GLFS_SL_BASE + 3)
+
+/*!
+ * @messageid
+ * @diagnosis
+ * @recommendedaction
+ *
+ */
+
+#define SL_MSG_SELINUX_GLUSTER_XATTR_MISSING (GLFS_SL_BASE + 4)
+
+/*!
+ * @messageid
+ * @diagnosis
+ * @recommendedaction
+ *
+ */
+
+#define SL_MSG_SELINUX_XATTR_MISSING (GLFS_SL_BASE + 5)
+
+/*!
+ * @messageid
+ * @diagnosis
+ * @recommendedaction
+ *
+ */
+
+/*-----------*/
+#define glfs_msg_end_x GLFS_MSGID_END, "Invalid: End of messages"
+
+#endif /*_SELINUX_MESSAGES_H */
+
diff --git a/xlators/features/selinux/src/selinux.c b/xlators/features/selinux/src/selinux.c
new file mode 100644
index 00000000000..1a4b39f253c
--- /dev/null
+++ b/xlators/features/selinux/src/selinux.c
@@ -0,0 +1,324 @@
+/*
+ Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com>
+ This file is part of GlusterFS.
+
+ This file is licensed to you under your choice of the GNU Lesser
+ General Public License, version 3 or any later version (LGPLv3 or
+ later), or the GNU General Public License, version 2 (GPLv2), in all
+ cases as published by the Free Software Foundation.
+*/
+
+#include "xlator.h"
+
+#include "selinux.h"
+#include "selinux-messages.h"
+#include "selinux-mem-types.h"
+#include "compat-errno.h"
+
+static int
+selinux_fgetxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
+ int op_ret, int op_errno, dict_t *dict, dict_t *xdata)
+{
+ int ret = 0;
+ char *name = cookie;
+
+ if (op_errno == 0 && name && (!strcmp(name, SELINUX_GLUSTER_XATTR))) {
+ ret = dict_rename_key (dict, SELINUX_GLUSTER_XATTR,
+ SELINUX_XATTR);
+ if (ret < 0)
+ gf_msg (this->name, GF_LOG_ERROR, op_errno,
+ SL_MSG_SELINUX_GLUSTER_XATTR_MISSING,
+ "getxattr failed for %s", SELINUX_XATTR);
+
+ }
+
+ STACK_UNWIND_STRICT (fgetxattr, frame, op_ret, op_errno,
+ dict, xdata);
+ return ret;
+}
+
+
+static int
+selinux_fgetxattr (call_frame_t *frame, xlator_t *this, fd_t *fd,
+ const char *name, dict_t *xdata)
+{
+ selinux_priv_t *priv = NULL;
+ int32_t op_ret = -1;
+ int32_t op_errno = EINVAL;
+ char *xattr_name = (char *) name;
+
+ priv = this->private;
+
+ GF_VALIDATE_OR_GOTO ("selinux", priv, err);
+
+ /* name can be NULL for listxattr calls */
+ if (!priv->selinux_enabled || !name)
+ goto off;
+
+ if (strcmp (name, SELINUX_XATTR) == 0)
+ xattr_name = SELINUX_GLUSTER_XATTR;
+
+off:
+ STACK_WIND_COOKIE (frame, selinux_fgetxattr_cbk, xattr_name,
+ FIRST_CHILD(this),
+ FIRST_CHILD(this)->fops->fgetxattr, fd, xattr_name,
+ xdata);
+ return 0;
+err:
+ STACK_UNWIND_STRICT (fgetxattr, frame, op_ret, op_errno, NULL, xdata);
+
+ return 0;
+}
+
+static int
+selinux_getxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
+ int op_ret, int op_errno, dict_t *dict, dict_t *xdata)
+{
+ int ret = 0;
+ char *name = cookie;
+
+ if (op_errno == 0 && name && (!strcmp(name, SELINUX_GLUSTER_XATTR))) {
+ ret = dict_rename_key (dict, SELINUX_GLUSTER_XATTR,
+ SELINUX_XATTR);
+ if (ret < 0)
+ gf_msg (this->name, GF_LOG_ERROR, op_errno,
+ SL_MSG_SELINUX_GLUSTER_XATTR_MISSING,
+ "getxattr failed for %s", SELINUX_XATTR);
+
+ }
+
+ STACK_UNWIND_STRICT (getxattr, frame, op_ret, op_errno, dict, xdata);
+
+ return 0;
+}
+
+
+static int
+selinux_getxattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
+ const char *name, dict_t *xdata)
+{
+ selinux_priv_t *priv = NULL;
+ int32_t op_ret = -1;
+ int32_t op_errno = EINVAL;
+ char *xattr_name = (char *) name;
+
+ priv = this->private;
+
+ GF_VALIDATE_OR_GOTO ("selinux", priv, err);
+
+ /* name can be NULL for listxattr calls */
+ if (!priv->selinux_enabled || !name)
+ goto off;
+
+ if (strcmp (name, SELINUX_XATTR) == 0)
+ xattr_name = SELINUX_GLUSTER_XATTR;
+
+off:
+ STACK_WIND_COOKIE (frame, selinux_getxattr_cbk, xattr_name,
+ FIRST_CHILD(this),
+ FIRST_CHILD(this)->fops->getxattr, loc, xattr_name,
+ xdata);
+ return 0;
+err:
+ STACK_UNWIND_STRICT (getxattr, frame, op_ret, op_errno, NULL, xdata);
+ return 0;
+}
+
+static int
+selinux_fsetxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
+ int op_ret, int op_errno, dict_t *xdata)
+{
+ STACK_UNWIND_STRICT (fsetxattr, frame, op_ret, op_errno, xdata);
+ return 0;
+
+}
+
+
+static int
+selinux_fsetxattr (call_frame_t *frame, xlator_t *this, fd_t *fd, dict_t *dict,
+ int flags, dict_t *xdata)
+{
+ selinux_priv_t *priv = NULL;
+ int32_t op_ret = -1;
+ int32_t op_errno = EINVAL;
+ int32_t ret = -1;
+
+ priv = this->private;
+
+ GF_VALIDATE_OR_GOTO ("selinux", priv, err);
+
+ if (!priv->selinux_enabled)
+ goto off;
+
+ ret = dict_rename_key (dict, SELINUX_XATTR, SELINUX_GLUSTER_XATTR);
+ if (ret < 0 && ret != -ENODATA)
+ goto err;
+
+off:
+ STACK_WIND (frame, selinux_fsetxattr_cbk, FIRST_CHILD(this),
+ FIRST_CHILD(this)->fops->fsetxattr, fd, dict, flags,
+ xdata);
+
+
+ return 0;
+err:
+ STACK_UNWIND_STRICT (fsetxattr, frame, op_ret, op_errno, xdata);
+ return 0;
+
+}
+
+static int
+selinux_setxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
+ int op_ret, int op_errno, dict_t *xdata)
+{
+ STACK_UNWIND_STRICT (setxattr, frame, op_ret, op_errno, xdata);
+ return 0;
+}
+
+
+static int
+selinux_setxattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
+ dict_t *dict, int flags, dict_t *xdata)
+{
+ selinux_priv_t *priv = NULL;
+ int32_t op_ret = -1;
+ int32_t op_errno = EINVAL;
+ int32_t ret = -1;
+
+ priv = this->private;
+
+ GF_VALIDATE_OR_GOTO ("selinux", priv, err);
+
+ if (!priv->selinux_enabled)
+ goto off;
+
+ ret = dict_rename_key (dict, SELINUX_XATTR, SELINUX_GLUSTER_XATTR);
+ if (ret < 0 && ret != -ENODATA)
+ goto err;
+
+off:
+ STACK_WIND (frame, selinux_setxattr_cbk, FIRST_CHILD(this),
+ FIRST_CHILD(this)->fops->setxattr, loc, dict, flags,
+ xdata);
+ return 0;
+err:
+ STACK_UNWIND_STRICT (setxattr, frame, op_ret, op_errno, xdata);
+ return 0;
+}
+
+int32_t
+mem_acct_init (xlator_t *this)
+{
+ int ret = -1;
+
+ GF_VALIDATE_OR_GOTO("selinux", this, out);
+
+ ret = xlator_mem_acct_init (this, gf_selinux_mt_end + 1);
+
+ if (ret != 0) {
+ gf_msg (this->name, GF_LOG_ERROR, 0,
+ SL_MSG_MEM_ACCT_INIT_FAILED,
+ "Memory accounting init failed");
+ return ret;
+ }
+out:
+ return ret;
+}
+
+int32_t
+init (xlator_t *this)
+{
+ int32_t ret = -1;
+ selinux_priv_t *priv = NULL;
+
+ GF_VALIDATE_OR_GOTO ("selinux", this, out);
+
+ if (!this->children || this->children->next) {
+ gf_msg (this->name, GF_LOG_WARNING, 0, SL_MSG_INVALID_VOLFILE,
+ "Error: SELinux (%s) not configured with exactly one "
+ "child", this->name);
+ return -1;
+ }
+
+ if (this->parents == NULL) {
+ gf_msg (this->name, GF_LOG_WARNING, 0, SL_MSG_INVALID_VOLFILE,
+ "Dangling volume. Please check the volfile");
+ }
+
+ priv = GF_CALLOC (1, sizeof (*priv), gf_selinux_mt_selinux_priv_t);
+ if (!priv) {
+ gf_log (this->name, GF_LOG_ERROR, "out of memory");
+ ret = ENOMEM;
+ goto out;
+ }
+
+ GF_OPTION_INIT ("selinux", priv->selinux_enabled, bool, out);
+
+ this->local_pool = mem_pool_new (selinux_priv_t, 64);
+ if (!this->local_pool) {
+ ret = -1;
+ gf_msg (this->name, GF_LOG_ERROR, ENOMEM, SL_MSG_ENOMEM,
+ "Failed to create local_t's memory pool");
+ goto out;
+ }
+
+ this->private = (void *)priv;
+ ret = 0;
+out:
+ if (ret) {
+ if (priv) {
+ GF_FREE (priv);
+ }
+ mem_pool_destroy (this->local_pool);
+ }
+ return ret;
+}
+
+int
+reconfigure (xlator_t *this, dict_t *options)
+{
+ int32_t ret = -1;
+ selinux_priv_t *priv = NULL;
+
+ priv = this->private;
+
+ GF_OPTION_RECONF ("selinux", priv->selinux_enabled, options,
+ bool, out);
+
+ ret = 0;
+out:
+ return ret;
+
+}
+
+void
+fini (xlator_t *this)
+{
+ selinux_priv_t *priv = NULL;
+
+ priv = this->private;
+ GF_FREE (priv);
+
+ mem_pool_destroy (this->local_pool);
+
+ return;
+}
+
+struct xlator_fops fops = {
+ .getxattr = selinux_getxattr,
+ .fgetxattr = selinux_fgetxattr,
+ .setxattr = selinux_setxattr,
+ .fsetxattr = selinux_fsetxattr,
+};
+
+struct xlator_cbks cbks = {
+};
+
+struct volume_options options[] = {
+ { .key = { "selinux" },
+ .type = GF_OPTION_TYPE_BOOL,
+ .default_value = "on",
+ .description = "Enable/disable selinux translator",
+ },
+ { .key = { NULL }, }
+};
diff --git a/xlators/features/selinux/src/selinux.h b/xlators/features/selinux/src/selinux.h
new file mode 100644
index 00000000000..2ff57b5080a
--- /dev/null
+++ b/xlators/features/selinux/src/selinux.h
@@ -0,0 +1,24 @@
+/*
+ Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com>
+ This file is part of GlusterFS.
+
+ This file is licensed to you under your choice of the GNU Lesser
+ General Public License, version 3 or any later version (LGPLv3 or
+ later), or the GNU General Public License, version 2 (GPLv2), in all
+ cases as published by the Free Software Foundation.
+*/
+#ifndef __SELINUX_H__
+#define __SELINUX_H__
+
+#include "common-utils.h"
+
+#define SELINUX_XATTR "security.selinux"
+#define SELINUX_GLUSTER_XATTR "trusted.glusterfs.selinux"
+
+struct selinux_priv {
+ gf_boolean_t selinux_enabled;
+};
+
+typedef struct selinux_priv selinux_priv_t;
+
+#endif
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
index f0713e6e64a..02c8ed2ade2 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
@@ -1441,11 +1441,11 @@ brick_graph_add_posix (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
dict_t *set_dict, glusterd_brickinfo_t *brickinfo)
{
int ret = -1;
- gf_boolean_t quota_enabled = _gf_true;
- gf_boolean_t trash_enabled = _gf_false;
- gf_boolean_t pgfid_feat = _gf_false;
- char *value = NULL;
- xlator_t *xl = NULL;
+ gf_boolean_t quota_enabled = _gf_true;
+ gf_boolean_t trash_enabled = _gf_false;
+ gf_boolean_t pgfid_feat = _gf_false;
+ char *value = NULL;
+ xlator_t *xl = NULL;
if (!graph || !volinfo || !set_dict || !brickinfo)
goto out;
@@ -1496,6 +1496,25 @@ out:
}
static int
+brick_graph_add_selinux (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
+ dict_t *set_dict, glusterd_brickinfo_t *brickinfo)
+{
+ xlator_t *xl = NULL;
+ int ret = -1;
+
+ if (!graph || !volinfo)
+ goto out;
+
+ xl = volgen_graph_add (graph, "features/selinux", volinfo->volname);
+ if (!xl)
+ goto out;
+
+ ret = 0;
+out:
+ return ret;
+}
+
+static int
brick_graph_add_trash (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
dict_t *set_dict, glusterd_brickinfo_t *brickinfo)
{
@@ -2433,6 +2452,7 @@ static volgen_brick_xlator_t server_graph_table[] = {
{brick_graph_add_index, "index"},
{brick_graph_add_barrier, NULL},
{brick_graph_add_marker, "marker"},
+ {brick_graph_add_selinux, "selinux"},
{brick_graph_add_fdl, "fdl"},
{brick_graph_add_iot, "io-threads"},
{brick_graph_add_upcall, "upcall"},
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.h b/xlators/mgmt/glusterd/src/glusterd-volgen.h
index 8f725c46380..5941fd959ae 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.h
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.h
@@ -32,6 +32,7 @@
#define VKEY_FEATURES_TRASH "features.trash"
#define VKEY_FEATURES_BITROT "features.bitrot"
#define VKEY_FEATURES_SCRUB "features.scrub"
+#define VKEY_FEATURES_SELINUX "features.selinux"
#define VKEY_PARALLEL_READDIR "performance.parallel-readdir"
#define VKEY_READDIR_AHEAD "performance.readdir-ahead"
#define VKEY_RDA_CACHE_LIMIT "performance.rda-cache-limit"
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
index 8b2ac810e09..1b26f7d8397 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
@@ -3036,6 +3036,17 @@ struct volopt_map_entry glusterd_volopt_map[] = {
"The max value is 262144 pages i.e 1 GB and "
"the min value is 1000 pages i.e ~4 MB."
},
+ { .key = VKEY_FEATURES_SELINUX,
+ .voltype = "features/selinux",
+ .type = NO_DOC,
+ .value = "on",
+ .op_version = GD_OP_VERSION_3_11_0,
+ .description = "Convert security.selinux xattrs to "
+ "trusted.gluster.selinux on the bricks. Recommended "
+ "to have enabled when clients and/or bricks support "
+ "SELinux."
+ },
+
#endif /* USE_GFDB */
{ .key = "locks.trace",
.voltype = "features/locks",