On Thu, May 09, 2024 at 05:10:50PM GMT, Peter Krempa wrote:
Now things I see as problem in case when NFS not supporting xattr is used. This means that the remote VM can set XATTRs and must use 'virt_use_nfs' sebool.
I must be confused about the purpose of the virt_use_nfs sebool, and I can't seem to find decent documentation about it. Do you have any handy? Have you actually been able to use either SELinux or (trusted) XATTRs on an NFS-mounted filesystem? If so, how?
IMO the only proper option to do this across the XATTR boundary will be to have an additional step in the finalizing phase of migration that will unref the libvirt labels. In case when the last reference is gone it'd need to also restore the label, same as it does now. During migration there'll need to be a period while two refs are on the libvirt xattrs.
This sounds fairly attractive from a high-level point of view, though I'll admit that I'm concerned about things going out of sync and unintentionally cutting off file access to the target host as a consequence of that.
As said I'll need to actually check what's really happening in regards of the selinux labels.
Please do. Hopefully you'll get further than I was able to :) -- Andrea Bolognani / Red Hat / Virtualization