Re: [PATCH v3 2/5] qemu: Introduce shared_filesystems configuration option
On Thu, May 09, 2024 at 04:47:48PM +0000, Andrea Bolognani wrote:
On Thu, May 09, 2024 at 05:10:50PM GMT, Peter Krempa wrote:
> Now things I see as problem in case when NFS not supporting xattr is
> used. This means that the remote VM can set XATTRs and must use
> 'virt_use_nfs' sebool.
I must be confused about the purpose of the virt_use_nfs sebool, and
I can't seem to find decent documentation about it. Do you have any
handy?
Out of the box, there usually is no ability for QEMU to access
files stored on NFS whatsoever, because NFS lacks support for
storing (svirt_image_t:MCS) labels in xattr.
Setting virt_use_nfs, toggles the policy such that QEMU can now
access *any* nfs_t file. This lets QEMU works on NFS lacking
label support, but at the cost of killing MAC protection against
any other non-VM related files that might be stored on NFS. DAC
protection still applies though, since we're not running QEMU
as root.
If an NFS deployment *does* support SELinux labels, there is
no reason to use virt_use_nfs, and it should not be used due
to reduced MAC protection.
If an NFS deployment does *not* support SELinux labels, then
virt_use_nfs must be turned on
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|