From: Vivek Goyal <vgoyal@redhat.com>
To: Link Dupont <link@sub-pop.net>
Cc: virtio-fs-list <virtio-fs@redhat.com>, libvirt-users@redhat.com
Subject: Re: [Virtio-fs] virtiofs mounted filesystems & SELinux
Date: Fri, 4 Jun 2021 09:44:39 -0400 [thread overview]
Message-ID: <20210604134439.GB269481@redhat.com> (raw)
In-Reply-To: <0KN5UQ.JVDR5LJRMJIQ3@sub-pop.net>
On Thu, Jun 03, 2021 at 10:14:24PM -0400, Link Dupont wrote:
> On Thu, Jun 3 2021 at 08:56:46 PM -0400, Link Dupont <link@sub-pop.net>
> wrote:
> > reproducible scenarios
>
> Alright. I reran my tests with a CentOS 8 guest. On CentOS 8 (with a
> virtiofs filesystem and with xattr on), the type of files in the mounted
> hierarchy are unlabeled_t. I can work around that by switching SELinux in
> the guest to permissive or disabled.
cc Dan Walsh. I was discussing this with Dan Walsh yesterday in general.
In general, if we want to enable SELinux both on host and guest, then
both host and guest should have same SELinux policy. Otherwise there
will be lot of different kind of conflicts because both host and
guest will try to work with same selinux label. I guess that in
practice this will be very hard to achieve as people will run
different host and guest flavors and these might have different
policies.
So another option is to rename selinux xattr in virtiofs so that
any selinux xattr coming from guest is saved as
user.virtiofs.security.selinux xattr on host. That way host and guest
can have their separate labels without interfering with each other.
David Gilbert already has added support for this. I can't remember
the exact syntax but you can figure it out from documentation here
in xattr remappig section.
https://github.com/qemu/qemu/blob/master/docs/tools/virtiofsd.rst
But I have question with selinux xattr remapping. What will happen
to initial labels when fs is exported. I mean until and unless
some process in guest labels all the exported files, they all
with either be unlabeled or pick some generic label for all the
files.
Another option is, can we use a single label for whole of the
virtiofs (using context=<label>) option in guest. That way nothing
is saved in files as such. But this means that processes in guest
can't have different selinux labels on different virtiofs dir/files.
Dan, what do you think?
Thanks
Vivek
>
> With a CentOS 7 guest, things get less usable. I digested this to a
> reproducible scenario.
>
> Build a disk image with `virt-builder`, configuring the CentOS Plus kernel
> to get 9p support.
>
> virt-builder centos-7.8 \
> --root-password password:centos \
> --output centos-7.8.qcow2 \
> --install yum-utils \
> --run-command 'yum-config-manager --enable centosplus' \
> --run-command 'sed -ie "s/DEFAULTKERNEL=kernel/DEFAULTKERNEL=kernel-plus/"
> /etc/sysconfig/kernel' \
> --append-line '/etc/dracut.conf.d/virtio.conf:add_drivers+="virtio_scsi
> virtio_pci virtio_console"' \
> --append-line '/etc/modules-load.d/9pnet_virtio.conf:9pnet_virtio' \
> --install kernel-plus \
> --append-line '/etc/fstab:home /home 9p trans=virtio,version=9p2000.L 0 0'
>
> Install the volume into the `default` pool.
>
> sudo install -m644 centos-7.8.qcow2 /var/lib/libvirt/images
>
> Next, define a domain using the disk image (using `virt-install` here for
> "easy mode").
>
> virt-install \
> --import \
> --os-variant centos7.0 \
> --name centos \
> --ram 2048 \
> --disk path=/var/lib/libvirt/images/centos-7.8.qcow2 \
> --memorybacking access.mode=shared \
> --filesystem source=/home,target=home,accessmode=passthrough \
> --autoconsole none
>
> Now with SELinux enforcing, I cannot list the contents of the directories in
> the mounted hierarchy.
>
> [root@localhost ~]# ls -lZ /home/link
> ls: cannot open directory /home/link: Permission denied
>
>
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs@redhat.com
> https://listman.redhat.com/mailman/listinfo/virtio-fs
>
next prev parent reply other threads:[~2021-06-04 13:44 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2234280.ElGaqSPkdT@subpop>
2021-06-02 20:55 ` [Virtio-fs] virtiofs mounted filesystems & SELinux Connor Kuehl
2021-06-02 21:18 ` Harry G. Coin
2021-06-03 18:48 ` Link Dupont
2021-06-03 19:24 ` Dr. David Alan Gilbert
2021-06-04 0:56 ` Link Dupont
2021-06-04 2:14 ` Link Dupont
2021-06-04 13:30 ` Harry G. Coin
2021-06-04 14:11 ` Vivek Goyal
2021-06-04 14:50 ` Harry G. Coin
2021-06-04 13:44 ` Vivek Goyal [this message]
2021-06-04 13:59 ` Daniel P. Berrangé
2021-06-04 14:43 ` Vivek Goyal
2021-06-04 14:52 ` Daniel P. Berrangé
2021-06-07 13:01 ` Daniel Walsh
2021-06-07 14:05 ` Link Dupont
2021-06-07 14:15 ` Daniel P. Berrangé
2021-06-07 14:37 ` Harry G. Coin
2021-06-08 15:55 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210604134439.GB269481@redhat.com \
--to=vgoyal@redhat.com \
--cc=libvirt-users@redhat.com \
--cc=link@sub-pop.net \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.