[Open-scap] Offline mode scanning
Francisco Slavin
fslavin at tresys.com
Thu May 16 13:23:15 UTC 2013
On Thursday, May 16, 2013 9:03 AM, Richard W.M. Jones wrote:
> On Thu, May 16, 2013 at 08:47:48AM -0400, Steve Grubb wrote:
> > On Thursday, May 16, 2013 10:37:25 AM Richard W.M. Jones wrote:
> > > On Mon, May 13, 2013 at 11:00:53AM -0400, Steve Grubb wrote:
> > > > On Monday, May 13, 2013 04:34:20 PM Daniel Kopecek wrote:
> >
> > SE Linux labels are just extended attributes. Is there a generic
> > problem of passing through xattrs which could affect other things like
> > fs capabilities or ACL's?
>
> AIUI it's specific to SELinux and FUSE, and doesn't apply to (other) extended
> attributes.
>
> When a filesystem is mounted, SELinux makes filesystem requests (ie. during
> the mount(2)) which traditional FUSE modules aren't expecting to handle,
> resulting in a deadlock. As a result you have to rewrite your FUSE module to
> be multi-threaded (and this has larger implications for the libguestfs FUSE
> module and is not quite as easy to fix as it may seem).
>
> If you use the libguestfs API directly then you can read and write extended
> attributes and SELinux labels just fine.
>
> The sordid details are here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=811217
> https://bugzilla.redhat.com/show_bug.cgi?id=812798#c42
>
> and the libguestfs bug about this is:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=691389
For a bit of additional background, this issue has been around for a few years.
http://www.spinics.net/lists/selinux/msg09455.html
Digging deep into that message thread we come across some cryptic language here:
http://www.spinics.net/lists/selinux/msg09492.html
"Then we can't support labeling with fuse filesystems." - Stephen Smalley
This thread describes the same deadlock issue you're encountering.
It looks like libfuse has a patch queued up for libfuse-3.0
http://sourceforge.net/mailarchive/message.php?msg_id=29654774
So hopefully with newer library versions this will be addressed. I encountered this issue recently and my team ended up taking a different approach for the specific project needs, so this is as far as my research went. But if you need this support in libfuse currently you may be able to pull in the patch on the fuse-devel mailing list and recompile/install on your system. I would be interested to hear if you get something working that allows SELinux support in FUSE.
- Francisco
>
> Rich.
More information about the Open-scap-list
mailing list