SELinux Support over GlusterFS
Submitted by Jiffin Tony Thottan (@thotz) on Thursday, 6 April 2017
Section: Crisp talk of 15 mins duration Technical level: Intermediate
This talk will cover two open source technologies SELinux and GlusterFS. GlusterFS is software defined storage. SELinux otherwise known as Security Enhanced Linux is security module available in linux kernel through which security policies can be defined. Although it is widely used in linux world , no one has tried it with a distributed file system.So why it is important for software defined storage or in distribute storage ? The user specific security options available for end user is always limited(one of them is acl). First of all it is an additional security flavor for the end user. From a point of storage as a service, it is one of the key security feature which an end user can directly use. There are different clients which tries to provide this facility. In case of NFS, Labeled NFS is effort put on nfsv4 protocol which avails the same.
The entire talk covers how SELinux feature can be implemented in a distributed file system, taking GlusterFS as an example. GlusterFS has a stackable architecture so that we can easily plug this feature. Each layer in this stack is known as translator. In case of SELinux a new translator will introduced at server side. The SELinux context are stored at backend as extended attributes named as “security.selinux”. So this translator will handle all the getxattr/setxattr calls from the client.
Jiffin Tony Thottan is working as Software Engineer in Red Hat and part of Red Hat Storage Team. Jiffin Tony Thottan actively participating, contributing to communities such as Gluster and NFS-Ganesha. My area of interest includes software defined storage, protocols such as NFS and security measures like acl, selinux and kerberos.