Re: FUSE and SELinux labeling

[Dave Quigley <dpquigl@davequigley.com>]

On 5/15/2011 10:40 AM, Sam Gandhi wrote:
> Hi
>
>
> Is there a FAQ or some description on what one needs to do to enable
> labeling on files created under a fuse filesystem?
>
> When I mount my fuse file system I see message like
>
> SELinux: initialized (dev fuse, type fuse), not configured for labeling
>
> Now if I use statement such as shown below in my SELinux policy before
> loading it I don't see those messages
>
> fs_use_xattr fuse system_u:object_r:fs_t;
>
> But then when I try to mount fuse file system using simple fuse hello
> program as hello /tmp/foo, I see message:
>
> SELinux: (dev fuse, type fuse) getxattr errno 4 on console and my system hangs!
>
>
> ( Has anybody been successful in adding the SELinux labels to file
> created  by fuse? I have search both fuse and SElinux mailing list,
> also done bit of google search and nothing comes up , either this is
> way too simple thing to do and I am missing obvious thing)
>
> Would appreciate any help.
>
> ( I had sent message earlier to fuse-devel, but didn't cross-post it
> to SELinux )
> -Sam
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

So the short answer to this is No you can't use xattr style labeling on 
fuse. Eric Paris in the past tried to do this but it was unsucessful. If 
I remember correctly there were some weird conditions in fuse which 
would cause deadlocks. Attempts were made to fix this problem but it 
seemed that it was an ideological issue just as much as a technical one. 
Someone had posted a similar question back around December or September 
I believe and it should have a more complete view of the problem. The 
list of things that would need to be done would be allow FUSE to pass 
the name of the fusefs to the security server so it can decide what to 
do with the particular fusefs. The second thing would be to fix the 
deadlock issue in fuse but I don't think you're going to make progress 
on that. Dominick in another thread said that fuse doesn't support 
xattrs. If that is the case then you would need to implement fuse xattr 
handlers as well and the fuse interface for them. This list probably 
isn't complete as I don't remember the full details of the conversation 
from back then.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.