diff options
| author | Anand Avati <avati@redhat.com> | 2012-05-29 22:01:42 -0700 |
|---|---|---|
| committer | Anand Avati <avati@redhat.com> | 2012-05-29 22:58:07 -0700 |
| commit | f69785a9e3f9ad55e81f1fe8212485b7e4dc11fe (patch) | |
| tree | 7c0ccc27d3f9ebbd13322260837cf24ccc0792a7 /xlators | |
| parent | 647f561f6ad16174da700ea6b70f01b6e0ae6d96 (diff) | |
fuse: make SELinux support configurable
Make support for SELinux labels (extended attributes) configurable
and disabled by default as it can cause significant performance
penalty when enabled (it need not be enabled unless specially crafted
policies are set -- which is not by default)
Change-Id: I97bc4b1c26cf055fd520e9bf2d49e52b14fe7515
BUG: 811217
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.com/3485
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Diffstat (limited to 'xlators')
| -rw-r--r-- | xlators/mount/fuse/src/fuse-bridge.c | 35 | ||||
| -rw-r--r-- | xlators/mount/fuse/src/fuse-bridge.h | 3 | ||||
| -rwxr-xr-x | xlators/mount/fuse/utils/mount.glusterfs.in | 5 |
3 files changed, 27 insertions, 16 deletions
diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c index 42190083a27..fa728604daf 100644 --- a/xlators/mount/fuse/src/fuse-bridge.c +++ b/xlators/mount/fuse/src/fuse-bridge.c @@ -2641,13 +2641,13 @@ fuse_setxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } -#ifdef DISABLE_SELINUX - if (!strncmp (name, "security.", 9)) { - send_fuse_err (this, finh, EOPNOTSUPP); - GF_FREE (finh); - return; - } -#endif + if (!priv->selinux) { + if (strncmp (name, "security.", 9) == 0) { + send_fuse_err (this, finh, EOPNOTSUPP); + GF_FREE (finh); + return; + } + } /* Check if the command is for changing the log level of process or specific xlator */ @@ -2913,13 +2913,13 @@ fuse_getxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } -#ifdef DISABLE_SELINUX - if (!strncmp (name, "security.", 9)) { - send_fuse_err (this, finh, ENODATA); - GF_FREE (finh); - return; - } -#endif + if (!priv->selinux) { + if (strncmp (name, "security.", 9) == 0) { + send_fuse_err (this, finh, ENODATA); + GF_FREE (finh); + return; + } + } GET_STATE (this, finh, state); @@ -4496,6 +4496,13 @@ init (xlator_t *this_xl) if (priv->uid_map_root) priv->acl = 1; + priv->selinux = 0; + ret = dict_get_str (options, "selinux", &value_string); + if (ret == 0) { + ret = gf_string2boolean (value_string, &priv->selinux); + GF_ASSERT (ret == 0); + } + priv->read_only = 0; ret = dict_get_str (options, "read-only", &value_string); if (ret == 0) { diff --git a/xlators/mount/fuse/src/fuse-bridge.h b/xlators/mount/fuse/src/fuse-bridge.h index 3711ca54da0..eb43e6686eb 100644 --- a/xlators/mount/fuse/src/fuse-bridge.h +++ b/xlators/mount/fuse/src/fuse-bridge.h @@ -66,8 +66,6 @@ #define MAX_FUSE_PROC_DELAY 1 -//#define DISABLE_SELINUX 1 - typedef struct fuse_in_header fuse_in_header_t; typedef void (fuse_handler_t) (xlator_t *this, fuse_in_header_t *finh, void *msg); @@ -109,6 +107,7 @@ struct fuse_private { gf_boolean_t client_pid_set; unsigned uid_map_root; gf_boolean_t acl; + gf_boolean_t selinux; gf_boolean_t read_only; fdtable_t *fdtable; diff --git a/xlators/mount/fuse/utils/mount.glusterfs.in b/xlators/mount/fuse/utils/mount.glusterfs.in index 3ca09b03b1d..8dcf8caff1a 100755 --- a/xlators/mount/fuse/utils/mount.glusterfs.in +++ b/xlators/mount/fuse/utils/mount.glusterfs.in @@ -77,6 +77,10 @@ start_glusterfs () cmd_line=$(echo "$cmd_line --acl"); fi + if [ -n "$selinux" ]; then + cmd_line=$(echo "$cmd_line --selinux"); + fi + if [ -n "$worm" ]; then cmd_line=$(echo "$cmd_line --worm"); fi @@ -250,6 +254,7 @@ main () case "$pair" in "ro") read_only=1 ;; "acl") acl=1 ;; + "selinux") selinux=1 ;; "worm") worm=1 ;; # "mount -t glusterfs" sends this, but it's useless. "rw") ;; |