Support Policies for RHEL Resilient Storage - gfs2 with SELinux

Updated -

Contents

Overview

Applicable Environments

  • Red Hat Enterprise Linux (RHEL) with the Resilient Storage Add-On

Useful References and Guides

Introduction

This policy guide describes Red Hat's policies around the usage of SELinux with gfs2 filesystems. Users of gfs2 should adhere to these policies in order to be eligible for support from Red Hat with the appropriate product support subscriptions.

Policies

Supported releases of gfs2 with SELinux: Red Hat only supports use of gfs2 on systems where SELinux is enabled (either enforcing or permissive) in RHEL 8, or RHEL 7 Update 4 or later - that is with kernel-3.10.0-693.el7 or later.

Red Hat does not support usage of gfs2 with SELinux enabled in RHEL 6.


Mount-time requirement for gfs2 with SELinux enabled: When using gfs2 on a system that has SELinux enabled, that gfs2 filesystem should be mounted with the context option to define the context of all directories and files on that filesystem - as demonstrated in the gfs2 documentation.

  • NOTE: This context mount option is known to create some problems with gfs2-related utilities in RHEL 7 Update 1 and earlier. Red Hat has only validated proper functionality with the use of context and SELinux being enabled in RHEL 8 and RHEL 7 Update 4 and later - so it is important to abide by the above Supported releases policy.

Performance considerations without context option: In any release of RHEL Resilient Storage, if a gfs2 filesystem is mounted without the context option, it may be afflicted by suboptimal performance. gfs2's design incurs additional overhead in a variety of file operations when an inode's xattr must be accessed - which is the case if SELinux is enabled. The use of the context option as described above causes the kernel VFS to set static information in-memory for an inode's xattr, preventing those structures from having to be manipulated in gfs2 specifically.

Red Hat cannot recommend or assist with usage of gfs2 with SELinux enabled where context is not specified, as a result of these performance concerns.