I'm trying to figure out a way to get sshfs to play nicely with an SELinux enabled current Fedora host (current, in this context, means Fedora 17 at the time of writing).
Let's assume I have an external file server that I would like to connect to through sshfs, in order to provide access to email and sql data.
So I would naively do something like:
su - imapsshuser -C 'sshfs storagehost:/srv/imap /srv/imap'
su - sqlsshuser -C 'sshfs storagehost:/srv/sql /srv/sql'
in order to mount the directories I will use for my local email and sql services respectively.
The problem now is that neither the `sshfs` nor the similar `mount.fuse` calls properly accept any '-o context='-like options nor does sshfs (nor the underlying openssh sftp and maybe even fuse in general) support extended attributes that are used for managing SELinux contexts.
This means for starters that I cannot directly reuse any extended attributes that may or may not lie around on the file server and that I cannot even force a mount-wide SELinux context onto the respective trees.
The same seems to hold for tricks like
chcon -t dovecot_t /srv/imap
mount -o remount,context="system_u
mount -o bind,context="system_u
bject_r:dovecot_t:s0" /srv/imap /mnt/imap
Instead, both mount points remain to be mounted under the generic sshfs_t type (or, in other flavors of Linux distributions, fusefs_t).
In short, I haven't been able to figure out any way to give two distinct sshfs mount points two separate SELinux contexts that will allow me to use Fedora's default SELinux policy.
I've spent quite some time on google and various forums to find variations of my problem that might give me a clue on how to proceed, but rather unsuccessfully so far (for instance, apparently someone tried to push a patch to openssh that would allow extended attributes to pass through sftp about a year ago, but hasn't succeeded in getting it upstream yet due to developer resistance).
So, does anyone see a possibility for me to give different sshfs mount points separate SELinux contexts?
Is there, maybe, a way for me to modify the SELinux configuration in order to replace the sshfs_t default type based on the mount point path? (if possible, I'd rather not grant additional SELinux access rights to system accounts that are going to run the daemons I'm trying to use)
Thanks in advance for your advice!
selinux mailing list