FUSE and SELinux labeling

FUSE and SELinux labeling

[Sam Gandhi]

Hi


Is there a FAQ or some description on what one needs to do to enable
labeling on files created under a fuse filesystem?

When I mount my fuse file system I see message like

SELinux: initialized (dev fuse, type fuse), not configured for labeling

Now if I use statement such as shown below in my SELinux policy before
loading it I don't see those messages

fs_use_xattr fuse system_u:object_r:fs_t;

But then when I try to mount fuse file system using simple fuse hello
program as hello /tmp/foo, I see message:

SELinux: (dev fuse, type fuse) getxattr errno 4 on console and my system hangs!


( Has anybody been successful in adding the SELinux labels to file
created  by fuse? I have search both fuse and SElinux mailing list,
also done bit of google search and nothing comes up , either this is
way too simple thing to do and I am missing obvious thing)

Would appreciate any help.

( I had sent message earlier to fuse-devel, but didn't cross-post it
to SELinux )
-Sam

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FUSE and SELinux labeling

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/15/2011 04:40 PM, Sam Gandhi wrote:
> Hi
> 
> 
> Is there a FAQ or some description on what one needs to do to enable
> labeling on files created under a fuse filesystem?

fusefs does not support extended attributes, and so you cannot label
files on it.

You can however, probably, mount fusefs filesystems with a security context.

See man mount for information as to how to mount partitions with a
security context (context="security context here")
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3P8v0ACgkQMlxVo39jgT9zKwCfRnRgYRbrzZI4q7oNArJ+r4or
PGcAnAp6dioOPfETqpKIEN25i9I/o/nP
=7LRv
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FUSE and SELinux labeling

[Sam Gandhi]

Hello Dominick,


On Sun, May 15, 2011 at 8:36 AM, Dominick Grift <domg472@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/15/2011 04:40 PM, Sam Gandhi wrote:
>> Hi
>>
>>
>> Is there a FAQ or some description on what one needs to do to enable
>> labeling on files created under a fuse filesystem?
>
> fusefs does not support extended attributes, and so you cannot label
> files on it.
>
> You can however, probably, mount fusefs filesystems with a security context.
>
> See man mount for information as to how to mount partitions with a
> security context (context="security context here")

I am running latest fuse 2.8.5 and I have tried several options of
using context=..
I haven't been successful in mounting file system with label that I
know exists. Have been successful in doing so?

I have tried using hello program from fuse example to mount directory
as shown below:

hello -o context=user_u:object_r:tmpfs_t /mn/tmp/
and that doesn't work.

Only option fuse mount seems to support are:

    -d   -o debug          enable debug output (implies -f)
    -f                     foreground operation
    -s                     disable multi-threaded operation

    -o allow_other         allow access to other users
    -o allow_root          allow access to root
    -o nonempty            allow mounts over non-empty file/dir
    -o default_permissions enable permission checking by kernel
    -o fsname=NAME         set filesystem name
    -o subtype=NAME        set filesystem type
    -o large_read          issue large read requests (2.4 only)
    -o max_read=N          set maximum size of read requests

    -o hard_remove         immediate removal (don't hide files)
    -o use_ino             let filesystem set inode numbers
    -o readdir_ino         try to fill in d_ino in readdir
    -o direct_io           use direct I/O
    -o kernel_cache        cache files in kernel
    -o [no]auto_cache      enable caching based on modification times (off)
    -o umask=M             set file permissions (octal)
    -o uid=N               set file owner
    -o gid=N               set file group
    -o entry_timeout=T     cache timeout for names (1.0s)
    -o negative_timeout=T  cache timeout for deleted names (0.0s)
    -o attr_timeout=T      cache timeout for attributes (1.0s)
    -o ac_attr_timeout=T   auto cache timeout for attributes (attr_timeout)
    -o intr                allow requests to be interrupted
    -o intr_signal=NUM     signal to send on interrupt (10)
    -o modules=M1[:M2...]  names of modules to push onto filesystem stack

    -o max_write=N         set maximum size of write requests
    -o max_readahead=N     set maximum readahead
    -o async_read          perform reads asynchronously (default)
    -o sync_read           perform reads synchronously
    -o atomic_o_trunc      enable atomic open+truncate support
    -o big_writes          enable larger than 4kB writes
    -o no_remote_lock      disable remote file locking


-Sam

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FUSE and SELinux labeling

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/16/2011 02:47 AM, Sam Gandhi wrote:

> hello -o context=user_u:object_r:tmpfs_t /mn/tmp/

Try this:

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3QvE8ACgkQMlxVo39jgT/+JwCfW1VkmtkhrFcQ+Eg4gj5OCZBZ
t/AAoLMc6fH5MNhW+IvpOzPjXrCKKygo
=h+Bm
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FUSE and SELinux labeling

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/16/2011 02:47 AM, Sam Gandhi wrote:
> Hello Dominick,
> 
> 
> On Sun, May 15, 2011 at 8:36 AM, Dominick Grift <domg472@gmail.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 05/15/2011 04:40 PM, Sam Gandhi wrote:
>>> Hi
>>>
>>>
>>> Is there a FAQ or some description on what one needs to do to enable
>>> labeling on files created under a fuse filesystem?
>>
>> fusefs does not support extended attributes, and so you cannot label
>> files on it.
>>
>> You can however, probably, mount fusefs filesystems with a security context.
>>
>> See man mount for information as to how to mount partitions with a
>> security context (context="security context here")
> 
> I am running latest fuse 2.8.5 and I have tried several options of
> using context=..
> I haven't been successful in mounting file system with label that I
> know exists. Have been successful in doing so?
> 
> I have tried using hello program from fuse example to mount directory
> as shown below:
> 
> hello -o context=user_u:object_r:tmpfs_t /mn/tmp/
> and that doesn't work.
> 
> Only option fuse mount seems to support are:
> 
>     -d   -o debug          enable debug output (implies -f)
>     -f                     foreground operation
>     -s                     disable multi-threaded operation
> 
>     -o allow_other         allow access to other users
>     -o allow_root          allow access to root
>     -o nonempty            allow mounts over non-empty file/dir
>     -o default_permissions enable permission checking by kernel
>     -o fsname=NAME         set filesystem name
>     -o subtype=NAME        set filesystem type
>     -o large_read          issue large read requests (2.4 only)
>     -o max_read=N          set maximum size of read requests
> 
>     -o hard_remove         immediate removal (don't hide files)
>     -o use_ino             let filesystem set inode numbers
>     -o readdir_ino         try to fill in d_ino in readdir
>     -o direct_io           use direct I/O
>     -o kernel_cache        cache files in kernel
>     -o [no]auto_cache      enable caching based on modification times (off)
>     -o umask=M             set file permissions (octal)
>     -o uid=N               set file owner
>     -o gid=N               set file group
>     -o entry_timeout=T     cache timeout for names (1.0s)
>     -o negative_timeout=T  cache timeout for deleted names (0.0s)
>     -o attr_timeout=T      cache timeout for attributes (1.0s)
>     -o ac_attr_timeout=T   auto cache timeout for attributes (attr_timeout)
>     -o intr                allow requests to be interrupted
>     -o intr_signal=NUM     signal to send on interrupt (10)
>     -o modules=M1[:M2...]  names of modules to push onto filesystem stack
> 
>     -o max_write=N         set maximum size of write requests
>     -o max_readahead=N     set maximum readahead
>     -o async_read          perform reads asynchronously (default)
>     -o sync_read           perform reads synchronously
>     -o atomic_o_trunc      enable atomic open+truncate support
>     -o big_writes          enable larger than 4kB writes
>     -o no_remote_lock      disable remote file locking
> 
> 
> -Sam
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


You probably just need to add the allow rules using audit2allow -M myfuse

What domain are you trying to allow access to fuse?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3SHWgACgkQrlYvE4MpobM/HwCgyWyT7ut5CLTnrzImIYfIu5vN
IhsAoOXUyEn3uC1jNKPixRqnE50goEtw
=yMrK
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FUSE and SELinux labeling

[Stephen Smalley]

On Sun, 2011-05-15 at 17:47 -0700, Sam Gandhi wrote:
> I am running latest fuse 2.8.5 and I have tried several options of
> using context=..
> I haven't been successful in mounting file system with label that I
> know exists. Have been successful in doing so?
> 
> I have tried using hello program from fuse example to mount directory
> as shown below:
> 
> hello -o context=user_u:object_r:tmpfs_t /mn/tmp/
> and that doesn't work.

If you run it under strace -s 1024, you can look at the mount system
call and see whether it passed the context= mount option to the kernel
or not.  I suspect that it didn't pass it along and that is why it
didn't work.  Is there a way to directly mount your fuse fs via the
regular mount command (ala ntfs-3g) so that mount options are preserved
properly?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FUSE and SELinux labeling

[Dave Quigley]

On 5/15/2011 10:40 AM, Sam Gandhi wrote:
> Hi
>
>
> Is there a FAQ or some description on what one needs to do to enable
> labeling on files created under a fuse filesystem?
>
> When I mount my fuse file system I see message like
>
> SELinux: initialized (dev fuse, type fuse), not configured for labeling
>
> Now if I use statement such as shown below in my SELinux policy before
> loading it I don't see those messages
>
> fs_use_xattr fuse system_u:object_r:fs_t;
>
> But then when I try to mount fuse file system using simple fuse hello
> program as hello /tmp/foo, I see message:
>
> SELinux: (dev fuse, type fuse) getxattr errno 4 on console and my system hangs!
>
>
> ( Has anybody been successful in adding the SELinux labels to file
> created  by fuse? I have search both fuse and SElinux mailing list,
> also done bit of google search and nothing comes up , either this is
> way too simple thing to do and I am missing obvious thing)
>
> Would appreciate any help.
>
> ( I had sent message earlier to fuse-devel, but didn't cross-post it
> to SELinux )
> -Sam
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

So the short answer to this is No you can't use xattr style labeling on 
fuse. Eric Paris in the past tried to do this but it was unsucessful. If 
I remember correctly there were some weird conditions in fuse which 
would cause deadlocks. Attempts were made to fix this problem but it 
seemed that it was an ideological issue just as much as a technical one. 
Someone had posted a similar question back around December or September 
I believe and it should have a more complete view of the problem. The 
list of things that would need to be done would be allow FUSE to pass 
the name of the fusefs to the security server so it can decide what to 
do with the particular fusefs. The second thing would be to fix the 
deadlock issue in fuse but I don't think you're going to make progress 
on that. Dominick in another thread said that fuse doesn't support 
xattrs. If that is the case then you would need to implement fuse xattr 
handlers as well and the fuse interface for them. This list probably 
isn't complete as I don't remember the full details of the conversation 
from back then.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.