How to export LSM/SEL symbols for luster file system

Solution Verified - Updated -

Issue

  • The Lustre code will use these to implement its MLS re-check on the MDS servers.
  • We are deploying a Lustre file system http://lustre.org/ on RHEL 6.5 using SELinux with MLS.
  • Changes were made to the Luster file system to account for SEL security contexts.
  • On server-side,the Lustre MDS (meta data server) server does not implement a VFS and as such does not have a natural integration point with SEL.
  • What we designed is a logical security layer that intercepts any MDS operations (e.g. file open requests, list permissions) and checks those against the AVC.
  • This security layer currently depends on a kernel that exports the following symbols for our MDS server nodes:
avc_has_perm() 
security_sid_to_context*()
security_context_to_sid*() 
security_transition_sid() 
security_validate_transition()
selinux_policycap_openperm
  • Are there any alternative solutions available to achieve same/similar functionality?

Environment

  • Red Hat Enterprise Linux 6
  • selinux-policy

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content