We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

SELinux Support over GlusterFS

21
 Cite
 Share
 Download
 Purchase
Logo of FOSDEM VZWFOSDEM VZW
 Thottan, Jiffin Tony

Formal Metadata

Title
SELinux Support over GlusterFS
Title of Series
Number of Parts
611
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language
Production Year2017

Content Metadata

Subject Area
Genre
Abstract
GlusterFS is an open source, software defined scale out distributed filesystemwhich resides in user-space and typical runs on any commodity hardware. It hasa stackable architecture so that it is very easy to introduce a new feature.When storage (in any sort) comes into picture, security and privacy are twoimportant features which are of concern to everyone. SELinux is one among thetrending facilities which provides both. From the server-side view GlusterFSworks well in SELinux environments, but this does not address SELinux supportfor the contents stored on Gluster volumes. This presentation will cover onestep further; how an end user can use SELinux context over Gluster volumes. Inthe world of Storage As a Service this is a feature that everyone will love tohave. This talk will cover two open source technologies SELinux and GlusterFS.GlusterFS is software defined storage. SELinux otherwise known as SecurityEnhanced Linux is security module available in linux kernel through whichsecurity policies can be defined. Although it is widely used in linux world ,no one has tried it with a distributed file system.So why it is important forsoftware defined storage or in distribute storage ? The user specific securityoptions available for end user is always limited(one of them is acl). First ofall it is an additional security flavor for the end user. From a point ofstorage as a service, it is one of the key security feature which an end usercan directly use. There are different clients which tries to provide thisfacility. In case of NFS, Labeled NFS is effort put on nfsv4 protocol whichavails the same. The entire talk covers how SELinux feature can be implemented in a distributedfile system, taking GlusterFS as an example. GlusterFS has a stackablearchitecture so that we can easily plug this feature. Each layer in this stackis known as translator. In case of SELinux a new translator will introduced atserver side. The SELinux context are stored at backend as extended attributesnamed as "security.selinux". So this translator will handle all thegetxattr/setxattr calls from the clien. Another important point to be noted isthere will SELinux context for gluster process in Linux environments. So thiscontexts should be mess up with files stored in gluster volumes. This project is planned for gluster 3.10 release. So it will be a goodplatform to get early feedback/suggestion/contribution for this feature.