This patchset has been incuded in zfsonlinux, the selinux policy is still needed
This continues my work in adding zfs to the list of filesystems that SELinux supports
Disclaimer
- These patches are against git master (because 0.6.3 should be out 'soon').
- IANAL
- If you patch the kernel to add in ZFS support directly, you cannot share the binary, the cddl and gpl2 are not compatible in that way.
The Patch
The only patch you should need comes from this pull request. If you wish, you could also use my selinux forked branch).
http://dev.gentoo.org/~prometheanfire/patches/zfs/rootcontext.patch
https://github.com/prometheanfire/zfs/tree/selinux
These pull requests may be intresting to you as well.
- SELinux rootcontext support
- better init scripts (fixes grep)
- python3 support for arcstats and dbuffstat
what it does
The patch adds selinux support to more inode types (links and directories and stuff). When it detects selinux support, it will also add the mountoption rootcontext= to the mount commands it sends the host.
Building the stuffs
#get the patches
mkdir -p /etc/portage/patches/sys-fs/zfs /etc/portage/patches/sys-fs/zfs-kmod
curl http://dev.gentoo.org/~prometheanfire/patches/zfs/rootcontext.patch -o /etc/portage/patches/sys-fs/zfs/rootcontext.patch
curl http://dev.gentoo.org/~prometheanfire/patches/zfs/rootcontext.patch -o /etc/portage/patches/sys-fs/zfs-kmod/rootcontext.patch
#get the code into the kernel if compiling statically
#replace configure with merge to install normally
#if you wish to use my zfs branch, include the following line to the env ebuild command at the start of it (right after 'env')
#EGIT_BRANCH=selinux zfs_kmod_LIVE_REPO='git://github.com/prometheanfire/zfs.git' zfs_LIVE_REPO='git://github.com/prometheanfire/zfs.git'
#configure the kernel normally and run 'make prepare'
env EXTRA_ECONF='--enable-linux-builtin' ebuild /usr/portage/sys-kernel/spl/spl-9999.ebuild clean configure
(cd /var/tmp/portage/sys-kernel/spl-9999/work/spl-9999 && ./copy-builtin /usr/src/linux)
env EXTRA_ECONF='--with-spl=/usr/src/linux --enable-linux-builtin' ebuild /usr/portage/sys-fs/zfs-kmod/zfs-kmod-9999.ebuild clean configure
(cd /var/tmp/portage/sys-fs/zfs-kmod-9999/work/zfs-kmod-9999 && ./copy-builtin /usr/src/linux)
#build and install the kernel, making sure to enable spl/zfs if you are compiling statically.
#merge this no mater what
env EXTRA_ECONF='--with-spl=/usr/src/linux --enable-linux-builtin' ebuild /usr/portage/sys-fs/zfs/zfs-9999.ebuild clean merge
#build the initrd and configure your bootloader
#get the code into the system if NOT compiling statically
env EXTRA_ECONF='--enable-linux-builtin' ebuild /usr/portage/sys-kernel/spl/spl-9999.ebuild clean merge
Labeling the datasets
When you reboot into the new kernel and with the new zfs userland tools you can set the rootcontext as a property directly.
The rootcontext for default is 'system_u:object_r:fs_t'.
zfs set rootcontext=system_u:object_r:portage_ebuild_t node02-zp00/GENTOO/portage
# zfs list -o name,mountpoint,rootcontext
NAME MOUNTPOINT ROOTCONTEXT
node02-zp00 none default
node02-zp00/GENTOO none default
node02-zp00/GENTOO/portage /usr/portage system_u:object_r:portage_ebuild_t
node02-zp00/GENTOO/portage/distfiles /usr/portage/distfiles system_u:object_r:portage_ebuild_t
node02-zp00/GENTOO/portage/packages /usr/portage/packages system_u:object_r:portage_ebuild_t
node02-zp00/HOME /home system_u:object_r:home_root_t
node02-zp00/HOME/root /root root:object_r:user_home_dir_t
node02-zp00/ROOT none default
node02-zp00/ROOT/opt /opt system_u:object_r:usr_t
node02-zp00/ROOT/rootfs legacy system_u:object_r:root_t
node02-zp00/test-vol - default
Selinux Policy
I am working on getting this upstream, but for now this is needed.
mkdir -p ~/selinux/zfs
cd ~/selinux/zfs
curl http://dev.gentoo.org/~prometheanfire/patches/zfs/zfs.fc -o zfs.fc
curl http://dev.gentoo.org/~prometheanfire/patches/zfs/zfs.te -o zfs.te
#make and insert the module
make -f /usr/share/selinux/strict/include/Makefile zfs.pp
semodule -i zfs.pp
#when it becomes needed (upstream support) run 'semodule -r zfs' to remove the module.
The rest
You will need to relabel most likely (since this adds support for selinux markings on directories and the like).
Treat this like a non-selinux system and follow the migration guide here