Fork me on GitHub

Of ZFS and SELinux

This patchset has been incuded in zfsonlinux, the selinux policy is still needed

This continues my work in adding zfs to the list of filesystems that SELinux supports


  1. These patches are against git master (because 0.6.3 should be out 'soon').
  2. IANAL
  3. If you patch the kernel to add in ZFS support directly, you cannot share the binary, the cddl and gpl2 are not compatible in that way.

The Patch

The only patch you should need comes from this pull request. If you wish, you could also use my selinux forked branch).

These pull requests may be intresting to you as well.

what it does

The patch adds selinux support to more inode types (links and directories and stuff). When it detects selinux support, it will also add the mountoption rootcontext= to the mount commands it sends the host.

Building the stuffs

#get the patches
mkdir -p /etc/portage/patches/sys-fs/zfs /etc/portage/patches/sys-fs/zfs-kmod
curl -o /etc/portage/patches/sys-fs/zfs/rootcontext.patch
curl -o /etc/portage/patches/sys-fs/zfs-kmod/rootcontext.patch

#get the code into the kernel if compiling statically
#replace configure with merge to install normally
#if you wish to use my zfs branch, include the following line to the env ebuild command at the start of it (right after 'env')
#EGIT_BRANCH=selinux zfs_kmod_LIVE_REPO='git://' zfs_LIVE_REPO='git://'
#configure the kernel normally and run 'make prepare'
env EXTRA_ECONF='--enable-linux-builtin' ebuild /usr/portage/sys-kernel/spl/spl-9999.ebuild clean configure
(cd /var/tmp/portage/sys-kernel/spl-9999/work/spl-9999 && ./copy-builtin /usr/src/linux)
env EXTRA_ECONF='--with-spl=/usr/src/linux --enable-linux-builtin' ebuild /usr/portage/sys-fs/zfs-kmod/zfs-kmod-9999.ebuild clean configure
(cd /var/tmp/portage/sys-fs/zfs-kmod-9999/work/zfs-kmod-9999 && ./copy-builtin /usr/src/linux)

#build and install the kernel, making sure to enable spl/zfs if you are compiling statically.

#merge this no mater what
env EXTRA_ECONF='--with-spl=/usr/src/linux --enable-linux-builtin' ebuild /usr/portage/sys-fs/zfs/zfs-9999.ebuild clean merge

#build the initrd and configure your bootloader

#get the code into the system if NOT compiling statically
env EXTRA_ECONF='--enable-linux-builtin' ebuild /usr/portage/sys-kernel/spl/spl-9999.ebuild clean merge

Labeling the datasets

When you reboot into the new kernel and with the new zfs userland tools you can set the rootcontext as a property directly.

The rootcontext for default is 'system_u:object_r:fs_t'.

zfs set rootcontext=system_u:object_r:portage_ebuild_t node02-zp00/GENTOO/portage

# zfs list -o name,mountpoint,rootcontext
NAME                                  MOUNTPOINT              ROOTCONTEXT
node02-zp00                           none                    default
node02-zp00/GENTOO                    none                    default
node02-zp00/GENTOO/portage            /usr/portage            system_u:object_r:portage_ebuild_t
node02-zp00/GENTOO/portage/distfiles  /usr/portage/distfiles  system_u:object_r:portage_ebuild_t
node02-zp00/GENTOO/portage/packages   /usr/portage/packages   system_u:object_r:portage_ebuild_t
node02-zp00/HOME                      /home                   system_u:object_r:home_root_t
node02-zp00/HOME/root                 /root                   root:object_r:user_home_dir_t
node02-zp00/ROOT                      none                    default
node02-zp00/ROOT/opt                  /opt                    system_u:object_r:usr_t
node02-zp00/ROOT/rootfs               legacy                  system_u:object_r:root_t
node02-zp00/test-vol                  -                       default

Selinux Policy

I am working on getting this upstream, but for now this is needed.

mkdir -p ~/selinux/zfs
cd ~/selinux/zfs
curl -o zfs.fc
curl -o zfs.te

#make and insert the module
make -f /usr/share/selinux/strict/include/Makefile zfs.pp
semodule -i zfs.pp

#when it becomes needed (upstream support) run 'semodule -r zfs' to remove the module.

The rest

You will need to relabel most likely (since this adds support for selinux markings on directories and the like).

Treat this like a non-selinux system and follow the migration guide here