Virtualization Plugins

 View Only
Back to discussions
Expand all | Collapse all

Need a way to change linux file context type on Delphix mounted file system

  • 1.  Need a way to change linux file context type on Delphix mounted file system

    Posted 07-09-2019 11:59:00 AM
      |   view attached
    The MongoDB service is failing to start when the dbPath is pointing to a Delphix mount.
    See attached for details.
    To resolve we need to find a way to change the context type for the files on the Delphix mount from 'nfs_t' to 'mongod_var_lib_t'.

    I tried changing the type as root on the mounted file system, but it failed. 
        chcon -R -t mongod_var_lib_t /target/mongo-vdb1/*
    Is there a way to do it as part of the mount like we did with uid/gid? 
    Or way to allow this on the mount? 
    Other options for accomplishing this?

    Without this we cannot use the SDK to virtualize MongoDB.

    Thanks!

    Paul

    ------------------------------
    Paul Jauquet
    Senior Data Services Consultant
    Axis Technology, LLC
    ------------------------------

    Attachment(s)

    docx
    MongoSDK_ContextTypeIssue.docx   174 KB 1 version


  • 2.  RE: Need a way to change linux file context type on Delphix mounted file system

    Posted 07-10-2019 03:32:00 PM
    Hi Paul,

    As we spoke on the phone yesterday, Delphix doesn't explicitly specify "context" option when mounting an NFS share on the staging or target host. This results in SELinux assigning a default security context to NFS volumes which is of type "nfs_t", as you noted in the attached document. 

    > I tried changing the type as root on the mounted file system, but it failed. 
    >    chcon -R -t mongod_var_lib_t /target/mongo-vdb1/*

    I believe that this might be happening because of the default context assigned to the NFS share. As per the SELinux docs:
    "When a file system is mounted with a context option, context changes (by users and processes) are prohibited. For example, running the chconcommand on a file system mounted with a context option results in a Operation not supported error."

    Source:
    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts

    > Is there a way to do it as part of the mount like we did with uid/gid?    ​​

    Currently, there's no way to do it using plugin operations. I believe you're referring to linked.mount_specification() and virtual.mount_specification() plugin operations which let you define a MountSpecification object (https://developer.delphix.com/References/Classes/#mountspecification). Defining a MountSpecification objects is equivalent to specifying additional options to the mount command we issue from the engine. As you know, we only support defining the mount paths and ownership attributes.

    Other options for accomplishing this?

    I'm not very familiar with SELinux but it seems that it is possible to change the default context assigned to NFS volumes:
    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent

    You may also want to try "semanage fcontext" command as a persistent alternative to "chcon", which claims to change the default context mapping. You could try changing the default filesystem context for your mount directory, which in this case it seems to be "/target":
    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-selinux_contexts_labeling_files-persistent_changes_semanage_fcontext

    ------------------------------
    Filip Drozdowski
    Senior Member of Technical Staff I
    Delphix
    ------------------------------

    Original Message


Related Content