All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Harry G. Coin" <hgcoin@gmail.com>
To: dwalsh@redhat.com, Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com
Subject: Re: [Virtio-fs] restorcon/SELinux virtiofs question
Date: Fri, 20 Nov 2020 11:11:28 -0600	[thread overview]
Message-ID: <eecb8c4e-9fd9-39ba-024b-c35953e769ef@gmail.com> (raw)
In-Reply-To: <d6a20a5e-3da3-b73b-03b6-24eb044c05a6@redhat.com>


On 11/20/20 9:01 AM, Daniel Walsh wrote:
> On 11/19/20 14:44, Vivek Goyal wrote:
>> On Thu, Nov 19, 2020 at 01:44:36PM -0500, Vivek Goyal wrote:
>>> On Thu, Nov 19, 2020 at 01:38:41PM -0500, Vivek Goyal wrote:
>>>> On Thu, Nov 19, 2020 at 12:27:20PM -0600, Harry G. Coin wrote:
>>>>> On 11/19/20 12:16 PM, Vivek Goyal wrote:
>>>>>> On Thu, Nov 19, 2020 at 10:52:51AM -0600, Harry G. Coin wrote:
>>>>>>> Hello virtiofs team.  I need clarification about a 'restorecon'
>>>>>>> selinux
>>>>>>> guest giving an 'operation not supported' response.
>>>>>>>
>>>>>>> If the host fs is btrfs (with xattr enabled in virtiofsd) but not
>>>>>>> running SELinux,
>>>>>> I suspect that on host setxattr(security.selinux) is failing with
>>>>>> "operation not supported".
>>>>>>
>>>>>> What do you mean by host "not running SELinux". SElinux is not
>>>>>> compiled
>>>>>> in? Or it is disabled or in passive mode?
>>>>>>
>>>>>> Is it working with filesystems other than btrfs, say ext4 or xfs.
>>>>>>
>>>>>> Now qemu supports xattr remapping. You might want to run virtiofsd
>>>>>> to remap security.selinux. I think that might get you going till
>>>>>> the root cause of the issue is found.
>>>>>>
>>>>>> Vivek
>>>>> Thank you for the focus.   The host os in this instance is not
>>>>> from the
>>>>> fedora/rhel/centos world with selinux running.  My case is a debian
>>>>> sourced distro (ubuntu).  That world uses 'apparmor' by default, not
>>>>> selinux.   I think it's reasonable to suppose there are a lot of
>>>>> servers
>>>>> out there not running selinux that have lots of vms running on
>>>>> them, not
>>>>> all using virtiofs.  There should be a documented way to allow the
>>>>> 'restorcon' command on one of many guests on such hosts to work.  I
>>>>> suppose to wrap this up:
>>>>>
>>>>> For the future readers who got here by searching,  could you give the
>>>>> first kernel version that supports a non-selinux host supporting an
>>>>> selinux enabled guest and the virtiofsd command line necessary to get
>>>>> the restorecon command to work normally?
>>>> I don't know yet. Because I don't know what's the root cause of the
>>>> issue.
>>>>
>>>> The way you are explaining it, looks like host kernel somehow is
>>>> blocking setxattr(security.selinux). And I have no idea why. Is it
>>>> apparmor or something else.
>>>>
>>>> If no selinux module is loaded on host, then as long as virtiofsd
>>>> process has CAP_SYS_ADMIN, it should be able to set security.selinux.
>>>>
>>>> "Operation not supported" means error "EOPNOTSUP". I am assuming
>>>> you are running virtiofsd with "-o xattr" to make sure virtiofsd
>>>> supports xattr. If that's the case somehow kernel is returning
>>>> "EOPNOTSUP".
>>>>
>>>> Can you run virtiofsd with debug option -d and try to install that
>>>> package in guest and capture outout of virtiofsd and post here. It
>>>> might confirm that host kernel is returning error.
>>> I tried doing "chcon unconfined_u:object_r:admin_home_t:s0 bar.txt"
>>> on a file in virtiofs and got "Operation not supported". I think
>>> guest kernel failed this. Will need to debug further.
>> Ok, Dan Walsh says that it probably is due to the fact that selinux
>> policy in guest is not aware of virtiofs. He has opened a PR to
>> add that.
>>
>> https://github.com/fedora-selinux/selinux-policy/pull/478
>>
>> I am not sure what distribution you are running as guest but it
>> probably will require similar changes. Once this package is built
>> I will give it a try.
>>
>> Thanks
>> Vivek
>
> Correct. The Guest OS Has to have SELinux enabled and the virtiofs
> file system within the VM
>
> needs to have SELinux policy that says it support labeling on Xattrs. 
> Otherwise when you attempt
>
> to set labels on the file system.  SELinux in side of the kernel will
> say that virtiofs does not support
>
> SELinux labels, which is what you are seeing.
>
It is the advertising and presumption of those using 'virtual machines'
that they are 'runnable' on any host.  If I read the above correctly,
because there's no telling which of the hundreds of packages in the
fedora/centos/rhel world will fail on built-in restorecon calls,
virtiofs is now excluded for general use except on SELinux enabled hosts
.    There are, (cough) a fair few hosts out there which are not running
SElinux, whose operators hope/need to provide vm guest services to the
fedora/rhel/centos package users.  So, I ask the virtiofs folks to
consider creating or defining an option allowing fedora/rhel/centos
guests a way to succeed.  Or, in the alternative, a clear warning that
virtiofs is not a good choice for  rhel/centos/fedora guests on other
than rhel/centos/fedora bare-metal requiring selinux enabled.

HC






  reply	other threads:[~2020-11-20 17:11 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-19 16:52 [Virtio-fs] restorcon/SELinux virtiofs question Harry G. Coin
2020-11-19 18:16 ` Vivek Goyal
2020-11-19 18:27   ` Harry G. Coin
2020-11-19 18:38     ` Vivek Goyal
2020-11-19 18:44       ` Vivek Goyal
2020-11-19 19:44         ` Vivek Goyal
2020-11-20 15:01           ` Daniel Walsh
2020-11-20 17:11             ` Harry G. Coin [this message]
2020-11-20 18:55               ` Vivek Goyal
2020-11-29 21:41                 ` Harry G. Coin
2020-11-30 14:49                   ` Vivek Goyal
2020-12-03 18:24                     ` Harry G. Coin
2020-12-03 20:08                       ` Vivek Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=eecb8c4e-9fd9-39ba-024b-c35953e769ef@gmail.com \
    --to=hgcoin@gmail.com \
    --cc=dwalsh@redhat.com \
    --cc=vgoyal@redhat.com \
    --cc=virtio-fs@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.