virtiofs and its optional xattr support vs. fs_use_xattr

[Ondrej Mosnacek <omosnace@redhat.com>]

Hi everyone,

In [1] we ran into a problem with the current handling of filesystem
labeling rules. Basically, it is only possible to specify either
genfscon or fs_use_xattr for a given filesystem, but in the case of
virtiofs, certain mounts may support security xattrs, while other ones
may not.

So we can't use the xattr support by adding fs_use_xattr virtiofs
(...); to the policy, because then a non-xattr mount will fail
(SELinux does a mount-time check on the root inode to make sure that
the xattr handler works), but we also don't want to stay on genfscon,
because then we can't relabel files.

So my question is how to best address this? One option is to use a
similar "hack" as for cgroupfs; i.e. do a kind of mixed genfs-xattr
labeling, but that's ugly and requires hard-coding another FS name in
the selinux code. The only other alternative I could come up with is
to add a new FS labeling statement that would specify some kind of
mixed genfscon / fs_use_xattr behavior. That would be a better
long-term solution, but leads to more questions on how such statement
should actually work... Should it work the cgroupfs way, giving a
default label to everything and allowing to set/change labels via
xattrs? Or should it rather just detect xattrs support and switch
between SECURITY_FS_USE_XATTR and SECURITY_FS_USE_GENFS behavior based
on that? In the latter case, should the statement specify two contexts
(one for fs_use_xattr and another one for genfscon) or just one for
both behaviors?

Any thoughts/pointers welcome.

[1] https://github.com/fedora-selinux/selinux-policy/pull/478

--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.