tqcq/cachefilesd
0
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

init repo.

Browse Source
This commit is contained in:
tqcq 2025-03-05 10:06:46 +08:00
commit df64bc6cf7
15 changed files with 3369 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
cachefilesd
*.o
*~
\#*

131
Makefile Normal file
View File

@ -0,0 +1,131 @@
CFLAGS := -g -O2 -Wall -Wsign-compare
INSTALL := install
DESTDIR :=
ETCDIR := /etc
BINDIR := /bin
SBINDIR := /sbin
MANDIR := /usr/share/man
SPECFILE := redhat/cachefilesd.spec
LNS := ln -sf
###############################################################################
#
# Determine the current package version from the specfile
#
###############################################################################
VERSION := $(word 2,$(shell grep "^Version:" $(SPECFILE)))
TARBALL := cachefilesd-$(VERSION).tar
ZTARBALL := $(TARBALL).bz2
###############################################################################
#
# Guess at the appropriate word size
#
###############################################################################
BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit
ifeq ($(BUILDFOR),32-bit)
CFLAGS += -m32
else
ifeq ($(BUILDFOR),64-bit)
CFLAGS += -m64
endif
endif
###############################################################################
#
# Build stuff
#
###############################################################################
all: cachefilesd
cachefilesd: cachefilesd.c Makefile
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
###############################################################################
#
# Install everything
#
###############################################################################
MAN5 := $(DESTDIR)$(MANDIR)/man5
MAN8 := $(DESTDIR)$(MANDIR)/man8
install: all
$(INSTALL) -D -m 0755 cachefilesd $(DESTDIR)$(SBINDIR)/cachefilesd
$(INSTALL) -D -m 0644 cachefilesd.conf $(DESTDIR)$(ETCDIR)/cachefilesd.conf
$(INSTALL) -D -m 0644 cachefilesd.conf.5 $(MAN5)/cachefilesd.conf.5
$(INSTALL) -D -m 0644 cachefilesd.8 $(MAN8)/cachefilesd.8
###############################################################################
#
# Clean up
#
###############################################################################
clean:
$(RM) cachefilesd
$(RM) *.o *~
$(RM) debugfiles.list debugsources.list
distclean: clean
$(RM) -r rpmbuild $(TARBALL)
###############################################################################
#
# Generate a tarball
#
###############################################################################
$(ZTARBALL):
git archive --prefix=cachefilesd-$(VERSION)/ --format tar -o $(TARBALL) HEAD
bzip2 -9 <$(TARBALL) >$(ZTARBALL)
tarball: $(ZTARBALL)
###############################################################################
#
# Generate an RPM
#
###############################################################################
SRCBALL := rpmbuild/SOURCES/$(TARBALL)
ZSRCBALL := rpmbuild/SOURCES/$(ZTARBALL)
BUILDID := .local
dist := $(word 2,$(shell grep -r "^%dist" /etc/rpm /usr/lib/rpm))
release := $(word 2,$(shell grep ^Release: $(SPECFILE)))
release := $(subst %{?dist},$(dist),$(release))
release := $(subst %{?buildid},$(BUILDID),$(release))
rpmver := $(VERSION)-$(release)
SRPM := rpmbuild/SRPMS/cachefilesd-$(rpmver).src.rpm
RPMBUILDDIRS := \
--define "_srcrpmdir $(CURDIR)/rpmbuild/SRPMS" \
--define "_rpmdir $(CURDIR)/rpmbuild/RPMS" \
--define "_sourcedir $(CURDIR)/rpmbuild/SOURCES" \
--define "_specdir $(CURDIR)/rpmbuild/SPECS" \
--define "_builddir $(CURDIR)/rpmbuild/BUILD" \
--define "_buildrootdir $(CURDIR)/rpmbuild/BUILDROOT"
RPMFLAGS := \
--define "buildid $(BUILDID)"
rpm:
mkdir -p rpmbuild
chmod ug-s rpmbuild
mkdir -p rpmbuild/{SPECS,SOURCES,BUILD,BUILDROOT,RPMS,SRPMS}
git archive --prefix=cachefilesd-$(VERSION)/ --format tar -o $(SRCBALL) HEAD
bzip2 -9 <$(SRCBALL) >$(ZSRCBALL)
rpmbuild -ts $(ZSRCBALL) --define "_srcrpmdir rpmbuild/SRPMS" $(RPMFLAGS)
rpmbuild --rebuild $(SRPM) $(RPMBUILDDIRS) $(RPMFLAGS)
rpmlint: rpm
rpmlint $(SRPM) $(CURDIR)/rpmbuild/RPMS/*/cachefilesd-{,debuginfo-}$(rpmver).*.rpm
###############################################################################
#
# Build debugging
#
###############################################################################
show_vars:
@echo VERSION=$(VERSION)
@echo TARBALL=$(TARBALL)
@echo BUILDFOR=$(BUILDFOR)

399
README Normal file
View File

@ -0,0 +1,399 @@
===============================================
CacheFiles: CACHE ON ALREADY MOUNTED FILESYSTEM
===============================================
Contents:
(*) Overview.
(*) Requirements.
(*) Configuration.
(*) Starting the cache.
(*) Things to avoid.
(*) Cache culling.
(*) Cache structure.
(*) Security model and SELinux.
========
OVERVIEW
========
CacheFiles is a caching backend that's meant to use as a cache a directory on
an already mounted filesystem of a local type (such as Ext3).
CacheFiles uses a userspace daemon to do some of the cache management - such as
reaping stale nodes and culling. This is called cachefilesd and lives in
/sbin.
The filesystem and data integrity of the cache are only as good as those of the
filesystem providing the backing services. Note that CacheFiles does not
attempt to journal anything since the journalling interfaces of the various
filesystems are very specific in nature.
CacheFiles creates a proc-file - "/proc/fs/cachefiles" - that is used for
communication with the daemon. Only one thing may have this open at once, and
whilst it is open, a cache is at least partially in existence. The daemon
opens this and sends commands down it to control the cache.
CacheFiles is currently limited to a single cache.
CacheFiles attempts to maintain at least a certain percentage of free space on
the filesystem, shrinking the cache by culling the objects it contains to make
space if necessary - see the "Cache Culling" section. This means it can be
placed on the same medium as a live set of data, and will expand to make use of
spare space and automatically contract when the set of data requires more
space.
============
REQUIREMENTS
============
The use of CacheFiles and its daemon requires the following features to be
available in the system and in the cache filesystem:
- dnotify.
- extended attributes (xattrs).
- openat() and friends.
- bmap() support on files in the filesystem (FIBMAP ioctl).
- The use of bmap() to detect a partial page at the end of the file.
It is strongly recommended that the "dir_index" option is enabled on Ext3
filesystems being used as a cache.
=============
CONFIGURATION
=============
The cache is configured by a script in /etc/cachefilesd.conf. These commands
set up cache ready for use. The following script commands are available:
(*) brun <N>%
(*) bcull <N>%
(*) bstop <N>%
(*) frun <N>%
(*) fcull <N>%
(*) fstop <N>%
Configure the culling limits. Optional. See the section on culling
The defaults are 7% (run), 5% (cull) and 1% (stop) respectively.
The commands beginning with a 'b' are file space (block) limits, those
beginning with an 'f' are file count limits.
(*) dir <path>
Specify the directory containing the root of the cache. Mandatory.
(*) tag <name>
Specify a tag to FS-Cache to use in distinguishing multiple caches.
Optional. The default is "CacheFiles".
(*) culltable <log2size>
Specify the size of the tables holding the lists of cullable objects in
the cache. The bigger the number, the faster and more smoothly that
culling can proceed when there are many objects in the cache, but the
more memory will be consumed by cachefilesd.
The quantity is specified as log2 of the size actually required, for
example 12 indicates a table of 4096 entries and 13 indicates 8192
entries. The permissible values are between 12 and 20, the latter
indicating 1048576 entries. The default is 12.
(*) resume_thresholds <blocks> <files>
Scanning to refill the cull table is suspended when all the objects in
a cache are pinned by a live network filesystem in the kernel and
there's nothing available to cull. Scanning is resumed when the kernel
releases sufficient objects that either the number of objects released
exceeds the files parameter here or the cumulative i_blocks values
exceed the blocks parameter. Either threshold can be disabled by
specifying it as "-".
The default is to ignore the block threshold and to resume when five or
more files have been released.
(*) debug <mask>
Specify a numeric bitmask to control debugging in the kernel module.
Optional. The default is zero (all off).
==================
STARTING THE CACHE
==================
The cache is started by running the daemon. The daemon opens the cache proc
file, configures the cache and tells it to begin caching. At that point the
cache binds to fscache and the cache becomes live.
The daemon is run as follows:
/sbin/cachefilesd [-d]* [-s] [-n] [-N] [-f <configfile>]
The flags are:
(*) -d
Increase the debugging level. This can be specified multiple times and
is cumulative with itself.
(*) -s
Send messages to stderr instead of syslog.
(*) -n
Don't daemonise and go into background.
(*) -N
Disable culling and scanning to fill the cull table.
(*) -f <configfile>
Use an alternative configuration file rather than the default one.
===============
THINGS TO AVOID
===============
Do not mount other things within the cache as this will cause problems. The
kernel module contains its own very cut-down path walking facility that ignores
mountpoints, but the daemon can't avoid them.
Do not create, rename or unlink files and directories in the cache whilst the
cache is active, as this may cause the state to become uncertain.
Renaming files in the cache might make objects appear to be other objects (the
filename is part of the lookup key).
Do not change or remove the extended attributes attached to cache files by the
cache as this will cause the cache state management to get confused.
Do not create files or directories in the cache, lest the cache get confused or
serve incorrect data.
Do not chmod files in the cache. The module creates things with minimal
permissions to prevent random users being able to access them directly.
=============
CACHE CULLING
=============
The cache may need culling occasionally to make space. This involves
discarding objects from the cache that have been used less recently than
anything else. Culling is based on the access time of data objects. Empty
directories are culled if not in use.
Cache culling is done on the basis of the percentage of blocks and the
percentage of files available in the underlying filesystem. There are six
"limits":
(*) brun
(*) frun
If the amount of free space and the number of available files in the cache
rises above both these limits, then culling is turned off.
(*) bcull
(*) fcull
If the amount of available space or the number of available files in the
cache falls below either of these limits, then culling is started.
(*) bstop
(*) fstop
If the amount of available space or the number of available files in the
cache falls below either of these limits, then no further allocation of
disk space or files is permitted until culling has raised things above
these limits again.
These must be configured thusly:
0 <= bstop < bcull < brun < 100
0 <= fstop < fcull < frun < 100
Note that these are percentages of available space and available files, and do
_not_ appear as 100 minus the percentage displayed by the "df" program.
The userspace daemon scans the cache to build up a table of cullable objects.
These are then culled in least recently used order. A new scan of the cache is
started as soon as space is made in the table. Objects will be skipped if
their atimes have changed or if the kernel module says it is still using them.
===============
CACHE STRUCTURE
===============
The CacheFiles module will create two directories in the directory it was
given:
(*) cache/
(*) graveyard/
The active cache objects all reside in the first directory. The CacheFiles
kernel module moves any retired or culled objects that it can't simply unlink
to the graveyard from which the daemon will actually delete them.
The daemon uses dnotify to monitor the graveyard directory, and will delete
anything that appears therein.
The module represents index objects as directories with the filename "I..." or
"J...". Note that the "cache/" directory is itself a special index.
Data objects are represented as files if they have no children, or directories
if they do. Their filenames all begin "D..." or "E...". If represented as a
directory, data objects will have a file in the directory called "data" that
actually holds the data.
Special objects are similar to data objects, except their filenames begin
"S..." or "T...".
If an object has children, then it will be represented as a directory.
Immediately in the representative directory are a collection of directories
named for hash values of the child object keys with an '@' prepended. Into
this directory, if possible, will be placed the representations of the child
objects:
INDEX INDEX INDEX DATA FILES
========= ========== ================================= ================
cache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400
cache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...DB1ry
cache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...N22ry
cache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...FP1ry
If the key is so long that it exceeds NAME_MAX with the decorations added on to
it, then it will be cut into pieces, the first few of which will be used to
make a nest of directories, and the last one of which will be the objects
inside the last directory. The names of the intermediate directories will have
'+' prepended:
J1223/@23/+xy...z/+kl...m/Epqr
Note that keys are raw data, and not only may they exceed NAME_MAX in size,
they may also contain things like '/' and NUL characters, and so they may not
be suitable for turning directly into a filename.
To handle this, CacheFiles will use a suitably printable filename directly and
"base-64" encode ones that aren't directly suitable. The two versions of
object filenames indicate the encoding:
OBJECT TYPE PRINTABLE ENCODED
=============== =============== ===============
Index "I..." "J..."
Data "D..." "E..."
Special "S..." "T..."
Intermediate directories are always "@" or "+" as appropriate.
Each object in the cache has an extended attribute label that holds the object
type ID (required to distinguish special objects) and the auxiliary data from
the netfs. The latter is used to detect stale objects in the cache and update
or retire them.
Note that CacheFiles will erase from the cache any file it doesn't recognise or
any file of an incorrect type (such as a FIFO file or a device file).
==========================
SECURITY MODEL AND SELINUX
==========================
CacheFiles is implemented to deal properly with the LSM security features of
the Linux kernel and the SELinux facility.
One of the problems that CacheFiles faces is that it is generally acting on
behalf of a process that is in a security context that is not appropriate for
accessing the cache - either because the files in the cache are inaccessible to
that process, or because if the process creates a file in the cache, it'll be
inaccessible to other processes.
The way CacheFiles works is to temporarily change the security context (fsuid,
fsgid and actor security label) that the process acts as - without changing the
security context of the process when it the target of an operation performed by
some other process (so signalling and suchlike still work correctly).
When the CacheFiles module is asked to bind to its cache, it:
(1) Finds the security label attached to the root cache directory and uses
that as the security label with which it will create files. By default,
this is:
cachefiles_var_t
(2) Finds the security label of the process which issued the bind request
(presumed to be the cachefilesd daemon), which by default will be:
cachefilesd_t
and asks LSM to supply a security ID as which it should act given the
daemon's label. By default, this will be:
cachefiles_kernel_t
SELinux transitions the daemon's security ID to the module's security ID
based on a rule of this form in the policy.
type_transition <daemon's-ID> kernel_t : process <module's-ID>;
For instance:
type_transition cachefilesd_t kernel_t : process cachefiles_kernel_t;
The module's security ID gives it permission to create, move and remove files
and directories in the cache, to find and access directories and files in the
cache, to set and access extended attributes on cache objects, and to read and
write files in the cache.
The daemon's security ID gives it only a very restricted set of permissions: it
may scan directories, stat files and erase files and directories. It may
not read or write files in the cache, and so it is precluded from accessing the
data cached therein; nor is it permitted to create new files in the cache.
The policy source files are for reference installed as:
/usr/share/doc/cachefilesd/cachefilesd.te
/usr/share/doc/cachefilesd/cachefilesd.fc
/usr/share/doc/cachefilesd/cachefilesd.if
By default, the cache is located in /var/cache/fscache, but if it is desirable
that it should be elsewhere, than either the above policy files must be
altered, or an auxiliary policy must be installed to label the alternate
location of the cache.
For instructions on how to add an auxiliary policy to enable the cache to be
located elsewhere when SELinux is in enforcing mode, please see:
/usr/share/doc/cachefilesd/move-cache.txt
When the cachefilesd RPM is installed; alternatively, the document can be found
in the sources.

47
cachefilesd.8 Normal file
View File

@ -0,0 +1,47 @@
.\" -*- nroff -*-
.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\"
.TH cachefilesd 8 "14 November 2006"
.SH NAME
cachefilesd \- CacheFiles userspace management daemon
.SH SYNOPSIS
.B "cachefilesd [-d]* [-s] [-n] [-N] [-f <configfile>]"
.SH DESCRIPTION
The \fBcachefilesd\fP daemon manages the cache data store that is used by
network filesystems such a AFS and NFS to cache data locally on disk.
.P
The README file should be read before attempting to configure this facility:
.IP
/usr/share/doc/cachefilesd/README
.SH OPTIONS
.TP
.B -d
Turn on debugging mode (message written to stderr).
.TP
.B -s
Don't use syslog.
.TP
.B -n
Don't daemonise.
.TP
.B -N
Disable culling and scanning to fill the cull table.
.TP
.BI "-p <pidfile>"
Use an alternate PID file to /var/run/cachefilesd.pid.
.TP
.BI "-f <configfile>"
Read the alternate configuration files.
.SH FILES
.BR /etc/cachefilesd.conf
.SH SEE ALSO
\fBcachefilesd.conf\fR(5), /usr/share/doc/cachefilesd/README
.SH AUTHORS
.br
David Howells <dhowells@redhat.com>

1650
cachefilesd.c Normal file
View File

File diff suppressed because it is too large Load Diff

24
cachefilesd.conf Normal file
View File

@ -0,0 +1,24 @@
###############################################################################
#
# Copyright (C) 2006,2010 Red Hat, Inc. All Rights Reserved.
# Written by David Howells (dhowells@redhat.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
#
###############################################################################
dir /var/cache/fscache
tag mycache
brun 10%
bcull 7%
bstop 3%
frun 10%
fcull 7%
fstop 3%
# Assuming you're using SELinux with the default security policy included in
# this package
secctx system_u:system_r:cachefiles_kernel_t:s0

187
cachefilesd.conf.5 Normal file
View File

@ -0,0 +1,187 @@
.\" -*- nroff -*-
.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\"
.TH CACHEFILESD.CONF 5 "14 November 2005" Linux "Cache Files Utilities"
.SH NAME
/etc/cachefilesd.conf \- Local file caching configuration file
.SH SYNOPSIS
.P
The configuration file for cachefilesd which can manage a persistent cache for
a variety of network filesystems using a set of files on an already mounted
filesystem as the data store.
.SH DESCRIPTION
.P
This configuration file can contain a number of commands. Each one should be
on a separate line. Blank lines and lines beginning with a '#' character are
considered to be comments and are discarded.
.P
The only mandatory command is:
.TP
.B dir <path>
This command specifies the directory containing the root of the cache. It may
only specified once per configuration file.
.P
All the other commands are optional:
.TP
.B secctx <label>
Specify an LSM security context as which the kernel will perform operations to
access the cache. The default is to use cachefilesd's security context. Files
will be created in the cache with the label of directory specified to the 'dir'
command.
.TP
.B brun <N>%
.TP
.B bcull <N>%
.TP
.B bstop <N>%
.TP
.B frun <N>%
.TP
.B fcull <N>%
.TP
.B fstop <N>%
These commands configure the culling limits. The defaults are 7% (run), 5%
(cull) and 1% (stop) respectively. See the section on cache culling for more
information.
.IP
The commands beginning with a 'b' are file space (block) limits, those
beginning with an 'f' are file count limits.
.TP
.B tag <name>
This command specifies a tag to FS-Cache to use in distinguishing multiple
caches. This is only required if more than one cache is going to be used. The
default is "CacheFiles".
.TP
.B culltable <log2size>
This command specifies the size of the tables holding the lists of cullable
objects in the cache. The bigger the number, the faster and more smoothly that
culling can proceed when there are many objects in the cache, but the more
memory will be consumed by cachefilesd.
.IP
The quantity is specified as log2 of the size actually required, for example 12
indicates a table of 4096 entries and 13 indicates 8192 entries. The
permissible values are between 12 and 20, the latter indicating 1048576
entries. The default is 12.
.TP
.B nocull
Disable culling. Culling and building up the cull table take up a certain
amount of a systems resources, which may be undesirable. Supplying this option
disables all culling activity. The cache will keep building up to the limits
set and won't be shrunk, except by the removal of out-dated cache files.
.TP
.B resume_thresholds <blocks> <files>
This command specifies the amount of blocks or files that the kernel should let
go of before the daemon should resume from culling table scan suspension.
.IP
Scanning to refill the cull table is suspended when all the objects in a cache
are pinned by a live network filesystem in the kernel and there's nothing to
cull.
.IP
Either value can be "-" to indicate that this threshold should be ignored.
.TP
.B debug <mask>
This command specifies a numeric bitmask to control debugging in the kernel
module. The default is zero (all off). The following values can be OR'd into
the mask to collect various information:
.RS
.TP
.B 1
Turn on trace of function entry (_enter() macros)
.TP
.B 2
Turn on trace of function exit (_leave() macros)
.TP
.B 4
Turn on trace of internal debug points (_debug())
.RE
.IP
This mask can also be set through /sys/module/cachefiles/parameters/debug.
.RE
.SH EXAMPLES
.P
As an example, consider the following:
.P
.RS
dir /var/cache/fscache
.br
secctx cachefiles_kernel_t
.br
tag mycache
.br
brun 10%
.br
bcull 7%
.br
bstop 3%
.br
secctx system_u:system_r:cachefiles_kernel_t:s0
.RE
.P
This places the cache storage objects in a directory called
"/var/cache/fscache", names the cache "mycache", permits the cache to run
freely as long as there's at least 10% free space on /var/cache/fscache/,
starts culling the cache when the free space drops below 7% and stops writing
new stuff into the cache if the amount of free space drops below 3%. If the
cache is suspended, it won't reactivate until the amount of free space rises
again to 10% or better.
.P
Furthermore, this will tell the kernel module the security context it should
use when accessing the cache (SELinux is assumed to be the LSM in this
example). In this case, SELinux would use cachefiles_kernel_t as the key into
the policy.
.SH CACHE CULLING
.P
The cache may need culling occasionally to make space. This involves
discarding objects from the cache that have been used less recently than
anything else. Culling is based on the access time of data objects. Empty
directories are culled if not in use.
.P
Cache culling is done on the basis of the percentage of blocks and the
percentage of files available in the underlying filesystem. There are six
"limits":
.TP
.B brun
.TP
.B frun
If the amount of free space and the number of available files in the cache
rises above both these limits, then culling is turned off.
.TP
.B bcull
.TP
.B fcull
If the amount of available space or the number of available files in the cache
falls below either of these limits, then culling is started.
.TP
.B bstop
.TP
.B fstop
If the amount of available space or the number of available files in the cache
falls below either of these limits, then no further allocation of disk space or
files is permitted until culling has raised things above these limits again.
.P
These must be configured thusly:
.IP
0 <= bstop < bcull < brun < 100
.br
0 <= fstop < fcull < frun < 100
.P
Note that these are percentages of available space and available files, and do
\fInot\fP appear as 100 minus the percentage displayed by the \fBdf\fP program.
.P
The userspace daemon scans the cache to build up a table of cullable objects.
These are then culled in least recently used order. A new scan of the cache is
started as soon as space is made in the table. Objects will be skipped if
their atimes have changed or if the kernel module says it is still using them.
.P
Culling can be disabled with the \fBnocull\fP option.
.SH SEE ALSO
\fBcachefilesd\fR(8), \fBdf\fR(1), /usr/share/doc/cachefilesd/README
.SH AUTHORS
.br
David Howells <dhowells@redhat.com>

128
cachefilesd.initd Executable file
View File

@ -0,0 +1,128 @@
#!/bin/bash
#
# cachefilesd Start up and shut down the cachefilesd daemon
#
### BEGIN INIT INFO
# Provides: fscache
# Required-Start: $local_fs $time
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Control the persistent network fs caching service
# Description: CacheFiles provides persistent local caching for network (and
# other) filesystems in a directory on a locally mounted disk.
### END INIT INFO
#
# chkconfig: - 13 87
# description: Starts user-level daemon that manages the caching files \
# used by Network Filsystems
#
# Source function library.
. /etc/init.d/functions
RETVAL=0
CONFFILE=/etc/cachefilesd.conf
LOCKFILE=/var/lock/subsys/cachefilesd
PIDFILE=/var/run/cachefilesd.pid
MODPROBE=/sbin/modprobe
MODPROBE_ARGS=""
PROG="cachefilesd"
OPTIONS="-f $CONFFILE"
[ ! -x /sbin/$PROG ] && exit 0
# Check for and source configuration file otherwise set defaults
[ -f /etc/sysconfig/$PROG ] && . /etc/sysconfig/$PROG
rh_status() {
status -p $PIDFILE -l $(basename $LOCKFILE) $PROG
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
start() {
[ `id -u` -eq 0 ] || return 4
[ -x $exec ] || return 5
[ -f $config ] || return 6
# Make sure the daemon is not already running.
rh_status_q && return 0
rm -f $LOCKFILE
echo -n $"Starting $PROG: "
# Set security contexts
/sbin/restorecon /sbin/cachefilesd || return 1
/sbin/restorecon /dev/cachefiles || return 1
/sbin/restorecon -R `awk -- '/^dir/ { print $2 }' $CONFFILE` || return 1
# Load the cachefiles module if needed
[ -x "$MODPROBE" ] && {
if ! /sbin/lsmod | grep cachefiles > /dev/null ; then
$MODPROBE cachefiles $MODPROBE_ARGS || return 1
fi
}
# Start daemon.
daemon --pidfile=$PIDFILE $PROG ${OPTIONS} 2>/dev/null
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $LOCKFILE
return $RETVAL
}
stop() {
[ `id -u` -eq 0 ] || return 4
rh_status_q || return 0
echo -n $"Shutting down $PROG: "
killproc -p $PIDFILE $PROG
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $LOCKFILE
return $RETVAL
}
usage() {
echo $"Usage: $0 {start|stop|restart|force-reload|condrestart|try-restart|status}"
}
if [ $# -gt 1 ]; then
exit 2
fi
case "$1" in
start|condstart)
start
;;
stop)
stop
;;
restart|force-reload)
stop; start
;;
condrestart|try-restart)
rh_status_q || exit 0
stop ; start
;;
reload)
usage
# unimplemented feature
exit 3
;;
status)
rh_status
;;
*)
usage
exit 2
;;
esac
exit $?

10
cachefilesd.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Local network file caching management daemon
[Service]
Type=simple
ExecStartPre=-/sbin/modprobe -qab cachefiles
ExecStart=/usr/sbin/cachefilesd -n -f /etc/cachefilesd.conf
[Install]
WantedBy=multi-user.target

285
howto.txt Normal file
View File

@ -0,0 +1,285 @@
========================
FILESYSTEM LOCAL CACHING
========================
========
CONTENTS
========
(*) Introduction.
(*) Setting up a cache.
(*) Setting cache cull limits.
(*) Monitoring.
(*) Relocating the cache.
(*) Further information.
============
INTRODUCTION
============
Linux now supports local caching of certain filesystems (currently only NFS and
the in-kernel AFS filesystems). This permits remote data to be cached on local
disk, thus potentially speeding up future accesses to that data by avoiding the
need to go to the network and fetch it again.
This facility (known as FS-Cache) is designed to be as transparent as possible
to a user of the system. Applications should just be able to use NFS files as
normal, without any knowledge of there being a cache.
The administrator has to set up the cache in the first place, tell the system
to use it and then mark the NFS mount points they want caching, but the user
need not see any of that.
The facility can be conceptualised by the following diagram:
+--------+ +--------+ +--------+ +--------+
| | /\ | | | | | |
| NFS |--- \ ---->| NFS |------>| Page |---->| User |
| Server | \/ | Client | ^ | Cache | | App |
| | Network | | | | (RAM) | | |
+--------+ +--------+ | +--------+ +--------+
| |
| +-----+
V |
+--------+ +--------+ +---------+
| | | | | |
| FS- |<--->| Cache |<--->| /var/ |
| Cache | | Files | | fscache|
| | | | | |
+--------+ +--------+ +---------+
When a user application reads data, data flows left to right along the top row.
With a local cache is available, the NFS client copies any data it doesn't have
a local copy of into the cache if there's space such that the second and
subsequent times it tries to read that data, it retrieves it from the cache
instead.
FS-Cache is an intermediary between the network filesystems (such as NFS) and
the actual cache backends (such as CacheFiles) that do the real work. If there
aren't any caches available, FS-Cache will smooth over the fact, with as little
extra latency as possible.
CacheFiles is the only cache backend currently available. It uses files in a
directory nominated by the administrator to store the data given to it. The
contents of the cache are persistent over reboots.
==================
SETTING UP A CACHE
==================
Setting up a cache should be straightforward. The configuration for the
in-filesystem cache backend (CacheFiles) is placed in /etc/cachefilesd.conf.
There is a manual page available to cover the options in detail, but they will
be overviewed here. The cachefilesd package will need to be installed to use
the cache.
The administrator first needs to decide which directory they want to place the
cache in (typically /var/cache/fscache) and specify that to the system:
[/etc/cachefilesd.conf]
dir /var/cache/fscache
The cache will be stored in the filesystem that hosts that directory. For
something like a laptop, you'll probably want to select the root directory
here, but for a main desktop machine you might want to mount a disk partition
specifically for the cache.
The filesystem must support user-defined extended attributes as these are used
by CacheFiles to store coherency maintenance information. User-defined
extended attributes can be turned on on an Ext3 filesystem by doing the
following:
tune2fs -o user_xattr /dev/hdxN
or by mounting the filesystem like this:
mount /dev/hda6 /var/cache/fscache/ -o user_xattr
All other requirements should be met by using a RHEL5+ or FC6+ kernel and using
Ext3 (ReiserFS and XFS will also meet the requirements). See the "Further
information" section for more information.
The CacheFiles backend works by using up free space on the disk, caching remote
data in it. See the section on "Setting cache cull limits" for configuring how
much free space it maintains. This is, however, optional as defaults are set.
Once the configuration file is in place, just start up the cachefilesd service:
systemd start cachefilesd.service
And the cache is ready to go. This can be made to happen automatically on boot
by running this as root:
systemd enable cachefilesd.service
========================
USING THE CACHE WITH NFS
========================
NFS will not use the cache unless explicitly told to do so. This is done by
attaching an extra option to an NFS mount ("-o fsc"), for instance:
mount fred:/ /fred -o fsc
All the accesses to files under /fred will then be put through the cache,
provided they aren't opened for direct I/O or opened for writing (see below).
NFS supports caching for version 2, 3 and 4, though they'll use different
branches of the cache for each.
NFS keys the contents of the cache on the server and the NFS file handle,
meaning that hard linked files share the cache correctly.
CACHE LIMITATIONS WITH NFS
--------------------------
If a file is opened for direct-I/O, the cache will be bypassed because the I/O
must be direct to the server.
If the file is opened for writing, NFS version 2 and 3 protocols don't provide
sufficient coherency management information for the client to be able to detect
a write from another client that overlapped with one that it did.
So if a file is opened for direct-I/O or for writing, the copy of the data
cached on disk will be retired and that file will cease being cached until it
is no longer being used by that client.
=========================
SETTING CACHE CULL LIMITS
=========================
The CacheFiles backend works by using up free space on the disk, caching remote
data in it. This could, potentially, consume the entirety of the free space,
which if it was also your root partition, would be bad. To control this,
CacheFiles tries to maintain a certain amount of free space, and will shrink
the cache to compensate if whatever else is on the disk grows.
This can be controlled by three settings:
[/etc/cachefilesd.conf]
brun 20%
bcull 10%
bstop 5%
These are specified as percentages of the total disk space. When the amount of
available free space drops below the "bcull" or "bstop" limits, the cache
management daemon will start reducing the amount of data in the cache, and when
the available free space rises above the "brun" limit, the culling will cease.
This provides hysteresis. Note that the following must hold true:
0 <= bstop < bcull < brun < 100
Similarly, some filesystems have limited numbers of files that they can
actually support (Ext3 for instance falls into this category). If the data
being pulled from the server is in lots of small files, then this can quickly
use up all the files available to the cache without using up all the data. To
counter this problem, the cache tries to maintain a minimum percentage of free
files, just as it does for available free space. This can also be configured:
[/etc/cachefilesd.conf]
frun 20%
fcull 10%
fstop 5%
And this must hold true:
0 <= fstop < fcull < frun < 100
The defaults are 7% (run), 5% (cull) and 1% (stop) for both groups of settings.
When the bstop or fstop limit is reached, no more data will be added to the
cache until appropriate parameter falls back beneath the run limit.
==========
MONITORING
==========
The state of NFS filesystem caching can be monitored to a certain extent by the
data exposed through files in /proc/sys/fs/nfs/:
(*) nfs_fscache_to_pages
The number of pages of data NFS has added to the cache.
(*) nfs_fscache_from_pages
The number of pages of data NFS has retrieved from the cache.
(*) nfs_fscache_uncache_page
The number of active page bindings that NFS has removed from the
cache. (Note that just because a page binding has been released, it
does not mean the page has been removed from the cache, just that NFS
is no longer using that particular bit of the cache at the moment).
(*) nfs_fscache_from_error
The last error incurred when reading page(s) from the cache.
(*) nfs_fscache_to_error
The last error incurred when writing a page to the cache.
Note that these sysctl parameters are only temporary and will be integrated in
to the NFS per-mount statistics sometime in the future.
Futhermore, the caching state of individual mountpoints can be examined through
other /proc files. For instance:
[root@andromeda ~]# cat /proc/fs/nfsfs/servers
NV SERVER PORT USE HOSTNAME
v4 ac101209 801 1 home0
[root@andromeda ~]# cat /proc/fs/nfsfs/volumes
NV SERVER PORT DEV FSID FSC
v4 ac101209 801 0:16 9:2 no
v4 ac101209 801 0:17 9:3 yes
The "FSC" column says "yes" when the system has been asked to cache a
particular NFS share/volume/export, and "no" when it hasn't.
====================
RELOCATING THE CACHE
====================
By default, the cache is located in /var/cache/fscache, but this may be
undesirable. Unless SELinux is being used in enforcing mode, relocating the
cache is trivially a matter of changing the "dir" line in /etc/cachefilesd.
However, if SELinux is being used in enforcing mode, then it's not that
simple. The security policy that governs access to the cache must be changed.
For more information, see:
move-cache.txt
===================
FURTHER INFORMATION
===================
On the subject of the CacheFiles facility and configuring it:
/usr/share/doc/cachefilesd/README
/usr/share/man/man5/cachefilesd.conf.5.gz
/usr/share/man/man8/cachefilesd.8.gz
For general information, including the design constraints and capabilities,
see:
/usr/share/doc/kernel-doc-2.6.17/Documentation/filesystems/caching/fscache.txt

199
redhat/cachefilesd.spec Normal file
View File

@ -0,0 +1,199 @@
# % define buildid .local
Name: cachefilesd
Version: 0.10.10
Release: 1%{?dist}%{?buildid}
Summary: CacheFiles user-space management daemon
Group: System Environment/Daemons
License: GPLv2+
URL: http://people.redhat.com/~dhowells/fscache/
Source0: http://people.redhat.com/dhowells/fscache/cachefilesd-%{version}.tar.bz2
BuildRequires: systemd-units
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: selinux-policy-base >= 3.7.19-5
%define _hardened_build 1
%description
The cachefilesd daemon manages the caching files and directory that are that
are used by network file systems such a AFS and NFS to do persistent caching to
the local disk.
%global docdir %{_docdir}/cachefilesd
%prep
%setup -q
%build
make all \
ETCDIR=%{_sysconfdir} \
SBINDIR=%{_sbindir} \
MANDIR=%{_mandir} \
CFLAGS="-Wall -Werror $RPM_OPT_FLAGS $RPM_LD_FLAGS $ARCH_OPT_FLAGS"
%install
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{_mandir}/{man5,man8}
mkdir -p %{buildroot}%{_localstatedir}/cache/fscache
make DESTDIR=%{buildroot} install \
ETCDIR=%{_sysconfdir} \
SBINDIR=%{_sbindir} \
MANDIR=%{_mandir} \
CFLAGS="-Wall $RPM_OPT_FLAGS -Werror"
install -m 644 cachefilesd.conf %{buildroot}%{_sysconfdir}
install -m 644 cachefilesd.service %{buildroot}%{_unitdir}/cachefilesd.service
%post
%systemd_post cachefilesd.service
%preun
%systemd_preun cachefilesd.service
%postun
%systemd_postun_with_restart cachefilesd.service
%files
%doc README
%doc howto.txt
%doc selinux/move-cache.txt
%doc selinux/*.fc
%doc selinux/*.if
%doc selinux/*.te
%config(noreplace) %{_sysconfdir}/cachefilesd.conf
%{_sbindir}/*
%{_unitdir}/*
%{_mandir}/*/*
%{_localstatedir}/cache/fscache
%changelog
* Wed Mar 7 2017 David Howells <dhowells@redhat.com> 0.10.10-1
- Stop using readdir_r [RH BZ 1423289].
* Wed Feb 17 2016 David Howells <dhowells@redhat.com> 0.10.9-1
- Fix name of directory in Makefile-generated tarball.
* Wed Feb 17 2016 David Howells <dhowells@redhat.com> 0.10.8-1
- Use systemd interaction macros in specfile installation sections [RH BZ 850053].
- Fix the service file to use /usr/sbin/ rather than /sbin/.
- Turn on RELRO and PIE build hardening in RPM builds.
* Wed Feb 3 2016 David Howells <dhowells@redhat.com> 0.10.7-1
- Call setgroups() before calling setuid() (caught by rpmlint).
* Wed Feb 3 2016 David Howells <dhowells@redhat.com> 0.10.6-1
- Note the correct licence.
- Handle malformed kernel status correctly.
- Permit culling to be disabled on the command line with the -N flag.
- Suspend culling when cache space is short and cache objects are pinned.
* Tue Dec 6 2011 David Howells <dhowells@redhat.com> 0.10.5-1
- Fix systemd service data according to review comments [RH BZ 754811].
* Tue Dec 6 2011 Dan Horák <dan[at]danny.cz>
- use Fedora CFLAGS in build (fixes build on s390)
* Wed Nov 30 2011 David Howells <dhowells@redhat.com> 0.10.4-1
- Fix packaging of systemd service file [RH BZ 754811].
- Fix rpmlint complaints.
* Tue Nov 22 2011 David Howells <dhowells@redhat.com> 0.10.3-1
- Move to native systemd management [RH BZ 754811].
* Fri Jul 15 2011 David Howells <dhowells@redhat.com> 0.10.2-1
- Downgrade all the culling messages to debug level [RH BZ 660347].
* Fri Jun 18 2010 David Howells <dhowells@redhat.com>
- Fix the initscript to have the appropriate parseable description and exit codes.
* Wed Apr 28 2010 David Howells <dhowells@redhat.com>
- Fix the Requires line on selinux-policy-base to be >=, not =.
* Fri Apr 23 2010 David Howells <dhowells@redhat.com> 0.10.1-1
- The SELinux policies for cachefilesd now live in the selinux-policy RPM, so
the cachefilesd-selinux RPM is now redundant.
- Move the default cache dir to /var/cache/fscache.
- Make the initscript do a restorecon when starting the cache to make sure the
labels are correct.
- Fix a wildchar that should be a literal dot in the SELinux policy.
* Thu Feb 25 2010 David Howells <dhowells@redhat.com> 0.10-1
- Fix the SELinux policies for cachefilesd.
- Compress the installed policy files.
* Tue Feb 23 2010 David Howells <dhowells@redhat.com>
- Must include sys/stat.h to use stat() and co. [RH BZ 565135].
- Remove tail comments from functions.
* Thu Aug 9 2007 David Howells <dhowells@redhat.com> 0.9-1
- The cachefiles module no longer accepts directory fds on cull and inuse
commands, but rather uses current working directory.
* Mon Jul 2 2007 David Howells <dhowells@redhat.com> 0.8-16
- Use stat64/fstatat64 to avoid EOVERFLOW errors from the kernel on large files.
* Tue Nov 14 2006 David Howells <dhowells@redhat.com> 0.8-15
- Made cachefilesd ask the kernel whether cullable objects are in use and omit
them from the cull table if they are.
- Made the size of cachefilesd's culling tables configurable.
- Updated the manual pages.
* Mon Nov 13 2006 David Howells <dhowells@redhat.com> 0.8-14
- Documented SELinux interaction.
* Fri Nov 10 2006 David Howells <dhowells@redhat.com> 0.8-11
- Include SELinux policy for cachefilesd.
* Thu Oct 19 2006 Steve Dickson <steved@redhat.com> 0.7-3
- Fixed typo that was causing the howto.txt not to be installed.
* Tue Oct 17 2006 David Howells <dhowells@redhat.com> 0.8-1
- Use /dev/cachefiles if it present in preference to /proc/fs/cachefiles.
- Use poll rather than SIGURG on /dev/cachefilesd.
* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 0.7-2
- rebuilt for unwind info generation, broken in gcc-4.1.1-21
* Fri Sep 22 2006 Steve Dickson <steved@redhat.com> 0.7-1
- updated to 0.7 which adds the howto.txt
* Wed Aug 30 2006 Steve Dickson <steved@redhat.com> 0.6-1
- Fixed memory corruption problem
- Added the fcull/fstop/frun options
* Fri Aug 11 2006 Steve Dickson <steved@redhat.com> 0.5-1
- Upgraded to 0.5 which fixed initial scan problem when
started on an empty cache (bz 202184)
* Tue Aug 8 2006 Steve Dickson <steved@redhat.com> 0.4-3
- Updated init.d script to look for cachefilesd in /sbin
- Added postun and preun rules so cachefilesd is stopped
and started when the rpm is updated or removed.
* Tue Aug 8 2006 Jesse Keating <jkeating@redhat.com> 0.4-2
- require /sbin/chkconfig not /usr/bin/chkconfig
* Tue Aug 1 2006 David Howells <dhowells@redhat.com> 0.4-1
- Discard use of autotools
* Tue Aug 1 2006 Steve Dickson <steved@redhat.com> 0.3-3
- Added URL to source file
* Fri Jul 28 2006 Steve Dickson <steved@redhat.com> 0.3-2
- Added post and preun rules
- Changed init.d script to up right before portmapper.
* Fri Jun 9 2006 Steve Dickson <steved@redhat.com> 0.3-1
- Incorporated David Howells manual page updates
* Thu Jun 8 2006 Steve Dickson <steved@redhat.com> 0.2-1
- Made the daemon 64-bit application.
- Changed the syslog logging to log the daemon's PID
- Changed OS error logging to log errno number as well the string
* Sat Apr 22 2006 Steve Dickson <steved@redhat.com> 0.1-1
- Initial commit

29
selinux/cachefilesd.fc Normal file
View File

@ -0,0 +1,29 @@
###############################################################################
#
# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
# Written by David Howells (dhowells@redhat.com)
# Karl MacMillan (kmacmill@redhat.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
#
###############################################################################
#
# Define the contexts to be assigned to various files and directories of
# importance to the CacheFiles kernel module and userspace management daemon.
#
# cachefilesd executable will have:
# label: system_u:object_r:cachefilesd_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)

41
selinux/cachefilesd.if Normal file
View File

@ -0,0 +1,41 @@
###############################################################################
#
# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
# Written by David Howells (dhowells@redhat.com)
# Karl MacMillan (kmacmill@redhat.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
#
###############################################################################
#
# Define the policy interface for the CacheFiles userspace management daemon.
#
## <summary>policy for cachefilesd</summary>
########################################
## <summary>
## Execute a domain transition to run cachefilesd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`cachefilesd_domtrans',`
gen_require(`
type cachefilesd_t, cachefilesd_exec_t;
')
domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
allow $1 cachefilesd_t:fd use;
allow cachefilesd_t $1:fd use;
allow cachefilesd_t $1:fifo_file rw_file_perms;
allow cachefilesd_t $1:process sigchld;
')

146
selinux/cachefilesd.te Normal file
View File

@ -0,0 +1,146 @@
###############################################################################
#
# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
# Written by David Howells (dhowells@redhat.com)
# Karl MacMillan (kmacmill@redhat.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
#
###############################################################################
#
# This security policy governs access by the CacheFiles kernel module and
# userspace management daemon to the files and directories in the on-disk
# cache, on behalf of the processes accessing the cache through a network
# filesystem such as NFS
#
policy_module(cachefilesd,1.0.17)
###############################################################################
#
# Declarations
#
require { type kernel_t; }
#
# Files in the cache are created by the cachefiles module with security ID
# cachefiles_var_t
#
type cachefiles_var_t;
files_type(cachefiles_var_t)
#
# The /dev/cachefiles character device has security ID cachefiles_dev_t
#
type cachefiles_dev_t;
dev_node(cachefiles_dev_t)
#
# The cachefilesd daemon normally runs with security ID cachefilesd_t
#
type cachefilesd_t;
type cachefilesd_exec_t;
domain_type(cachefilesd_t)
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
#
# The cachefilesd daemon pid file context
#
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
#
# The CacheFiles kernel module causes processes accessing the cache files to do
# so acting as security ID cachefiles_kernel_t
#
type cachefiles_kernel_t;
domain_type(cachefiles_kernel_t)
domain_obj_id_change_exemption(cachefiles_kernel_t)
role system_r types cachefiles_kernel_t;
###############################################################################
#
# Permit RPM to deal with files in the cache
#
rpm_use_script_fds(cachefilesd_t)
###############################################################################
#
# cachefilesd local policy
#
# These define what cachefilesd is permitted to do. This doesn't include very
# much: startup stuff, logging, pid file, scanning the cache superstructure and
# deleting files from the cache. It is not permitted to read/write files in
# the cache.
#
# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
# rules.
#
allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
# Basic access
files_read_etc_files(cachefilesd_t)
libs_use_ld_so(cachefilesd_t)
libs_use_shared_libs(cachefilesd_t)
miscfiles_read_localization(cachefilesd_t)
logging_send_syslog_msg(cachefilesd_t)
init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
# Allow manipulation of pid file
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_file(cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
# Allow access to cachefiles device file
allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
# Allow access to cache superstructure
allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
###############################################################################
#
# When cachefilesd invokes the kernel module to begin caching, it has to tell
# the kernel module the security context in which it should act, and this
# policy has to approve that.
#
# There are two parts to this:
#
# (1) the security context used by the module to access files in the cache,
# as set by the 'secctx' command in /etc/cachefilesd.conf, and
#
allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
#
# (2) the label that will be assigned to new files and directories created in
# the cache by the module, which will be the same as the label on the
# directory pointed to by the 'dir' command.
#
allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
###############################################################################
#
# cachefiles kernel module local policy
#
# This governs what the kernel module is allowed to do the contents of the
# cache.
#
allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
allow cachefiles_kernel_t initrc_t:process sigchld;
manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
fs_getattr_xattr_fs(cachefiles_kernel_t)
dev_search_sysfs(cachefiles_kernel_t)

89
selinux/move-cache.txt Normal file
View File

@ -0,0 +1,89 @@
=====================================================
RELOCATING THE CACHE WITH SELINUX ENFORCEMENT ENABLED
=====================================================
If the cache is being used on a system on which SELinux is active and running
in enforcing mode, then the security policy installed by the cachefilesd RPM
needs to be updated to permit the CacheFiles module and daemon to access the
cache if the cache is moved.
The simplest way to do this is to add an auxiliary policy to mark out the
location of the new cache, whilst leaving the old location still available for
caching. If anything more is required, then it will be necessary to modify the
policy that is installed.
Example sources for the installed policy will be themselves installed by the
cachefilesd RPM in:
/usr/share/doc/cachefilesd/
See the files named:
cachefilesd.te
cachefilesd.fc
cachefilesd.if
The policy actually used for the defaults, however, is part of the SELinux
package.
==========================
ADDING AN AUXILIARY POLICY
==========================
Creating and adding an auxiliary policy is very easy. Follow the following
steps:
(0) Check that checkpolicy and selinux-policy* packages are installed. These
are needed to build your policy.
(1) Create a new directory and go into it.
(2) Create a source file to reference the security ID already set up for files
in the cache as you'll need these to label your own cache directory.
Assuming you're going to name your policy "mycache", this would have to be
called "mycache.te":
[mycache.te]
policy_module(mycache,1.0.0)
require { type cachefiles_var_t; }
(3) Create a source file to note the directory in which you wish your cache to
reside. This file should be named for your policy, plus a ".fc" suffix:
[mycache.fc]
/mycache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
This specifies the security ID for the directory in which your cache will
live and all its descendents. Replace "/mycache" with the path to your
cache's directory.
(4) Build the policy:
make -f /usr/share/selinux/devel/Makefile
(5) And install it:
semodule -i mycache.pp
(6) Create your directory and tell SELinux to label it appropriately:
mkdir /mycache
restorecon /mycache
(7) Check that the directory is labelled appropriately:
ls -dZ /mycache
(8) Modify /etc/cachefilesd.conf to point to the correct directory and then
start the cachefilesd service.
The auxiliary policy can be later removed by:
semodule -r mycache.pp
If the policy is updated, then the version number in policy_module() in
mycache.te should be increased and the module upgraded:
semodule -u mycache.pp